Malware Analysis Report

2024-11-30 07:48

Sample ID 240603-gty63sfc97
Target 9e0aa12eb15ee73fc31652d21e4310a0_NeikiAnalytics.exe
SHA256 124e2f5a8055b6bbd8066b83b7270f3ef93efacea7a2d9130522a2164e942ed3
Tags
spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

124e2f5a8055b6bbd8066b83b7270f3ef93efacea7a2d9130522a2164e942ed3

Threat Level: Shows suspicious behavior

The file 9e0aa12eb15ee73fc31652d21e4310a0_NeikiAnalytics.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

spyware stealer

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Modifies data under HKEY_USERS

Suspicious behavior: LoadsDriver

Uses Volume Shadow Copy service COM API

Suspicious use of WriteProcessMemory

Checks processor information in registry

Checks SCSI registry key(s)

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 06:06

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 06:06

Reported

2024-06-03 06:09

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9e0aa12eb15ee73fc31652d21e4310a0_NeikiAnalytics.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\System32\SensorDataService.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Users\Admin\AppData\Local\Temp\9e0aa12eb15ee73fc31652d21e4310a0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe C:\Users\Admin\AppData\Local\Temp\9e0aa12eb15ee73fc31652d21e4310a0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\System32\msdtc.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\SysWow64\perfhost.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\SgrmBroker.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\System32\vds.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\bc8a219b4b1389a.bin C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Windows\system32\locator.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\TieringEngineService.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\wbengine.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\AgentService.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Windows\System32\snmptrap.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\SearchIndexer.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\vssvc.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\System32\alg.exe C:\Users\Admin\AppData\Local\Temp\9e0aa12eb15ee73fc31652d21e4310a0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Users\Admin\AppData\Local\Temp\9e0aa12eb15ee73fc31652d21e4310a0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\spectrum.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\dotnet\dotnet.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_99718\java.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\Install\{28C8484C-303E-4CB2-A704-E3FF47E10F7C}\chrome_installer.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_99718\javaws.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\DtcInstall.log C:\Windows\System32\msdtc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\TieringEngineService.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\TieringEngineService.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003b4c65687cb5da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000faf994687cb5da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b66926697cb5da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" C:\Windows\system32\fxssvc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cad1ac687cb5da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie C:\Windows\system32\SearchFilterHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ab9792687cb5da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device C:\Windows\system32\SearchFilterHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000393590687cb5da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" C:\Windows\system32\fxssvc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000057d730687cb5da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f79d16687cb5da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" C:\Windows\system32\SearchProtocolHost.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\9e0aa12eb15ee73fc31652d21e4310a0_NeikiAnalytics.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9e0aa12eb15ee73fc31652d21e4310a0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\fxssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\TieringEngineService.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\TieringEngineService.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\AgentService.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: 33 N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\9e0aa12eb15ee73fc31652d21e4310a0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\9e0aa12eb15ee73fc31652d21e4310a0_NeikiAnalytics.exe"

C:\Windows\System32\alg.exe

C:\Windows\System32\alg.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE

"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv

C:\Windows\system32\fxssvc.exe

C:\Windows\system32\fxssvc.exe

C:\Windows\System32\msdtc.exe

C:\Windows\System32\msdtc.exe

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\system32\locator.exe

C:\Windows\system32\locator.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\system32\spectrum.exe

C:\Windows\system32\spectrum.exe

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc

C:\Windows\system32\TieringEngineService.exe

C:\Windows\system32\TieringEngineService.exe

C:\Windows\system32\AgentService.exe

C:\Windows\system32\AgentService.exe

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\SearchIndexer.exe /Embedding

C:\Windows\system32\SearchProtocolHost.exe

"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"

C:\Windows\system32\SearchFilterHost.exe

"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 pywolwnvd.biz udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 54.244.188.177:80 pywolwnvd.biz tcp
US 8.8.8.8:53 ssbzmoy.biz udp
SG 18.141.10.107:80 ssbzmoy.biz tcp
US 8.8.8.8:53 177.188.244.54.in-addr.arpa udp
US 8.8.8.8:53 cvgrf.biz udp
US 54.244.188.177:80 cvgrf.biz tcp
US 8.8.8.8:53 107.10.141.18.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 npukfztj.biz udp
US 44.221.84.105:80 npukfztj.biz tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 przvgke.biz udp
US 34.193.97.35:80 przvgke.biz tcp
NL 23.62.61.194:443 www.bing.com tcp
US 34.193.97.35:80 przvgke.biz tcp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
SG 18.141.10.107:80 knjghuig.biz tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 35.97.193.34.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 uhxqin.biz udp
US 8.8.8.8:53 anpmnmxo.biz udp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 vjaxhpbji.biz udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 xlfhhhm.biz udp
US 44.200.43.61:80 xlfhhhm.biz tcp
US 8.8.8.8:53 ifsaia.biz udp
SG 13.251.16.150:80 ifsaia.biz tcp
US 8.8.8.8:53 61.43.200.44.in-addr.arpa udp
US 8.8.8.8:53 150.16.251.13.in-addr.arpa udp
US 8.8.8.8:53 152.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 saytjshyf.biz udp
US 3.237.86.197:80 saytjshyf.biz tcp
US 8.8.8.8:53 vcddkls.biz udp
SG 18.141.10.107:80 vcddkls.biz tcp
US 8.8.8.8:53 197.86.237.3.in-addr.arpa udp
US 8.8.8.8:53 fwiwk.biz udp
US 44.208.124.139:80 fwiwk.biz tcp
US 44.208.124.139:80 fwiwk.biz tcp
US 8.8.8.8:53 139.124.208.44.in-addr.arpa udp
US 8.8.8.8:53 tbjrpv.biz udp
IE 34.246.200.160:80 tbjrpv.biz tcp
US 8.8.8.8:53 deoci.biz udp
US 54.80.154.23:80 deoci.biz tcp
US 8.8.8.8:53 gytujflc.biz udp
US 208.100.26.245:80 gytujflc.biz tcp
US 8.8.8.8:53 qaynky.biz udp
SG 13.251.16.150:80 qaynky.biz tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 160.200.246.34.in-addr.arpa udp
US 8.8.8.8:53 23.154.80.54.in-addr.arpa udp
US 8.8.8.8:53 245.26.100.208.in-addr.arpa udp
US 8.8.8.8:53 bumxkqgxu.biz udp
US 44.221.84.105:80 bumxkqgxu.biz tcp
US 8.8.8.8:53 dwrqljrr.biz udp
US 54.244.188.177:80 dwrqljrr.biz tcp
US 8.8.8.8:53 nqwjmb.biz udp
US 35.164.78.200:80 nqwjmb.biz tcp
US 8.8.8.8:53 ytctnunms.biz udp
US 3.94.10.34:80 ytctnunms.biz tcp
US 8.8.8.8:53 myups.biz udp
US 165.160.13.20:80 myups.biz tcp
US 8.8.8.8:53 200.78.164.35.in-addr.arpa udp
US 8.8.8.8:53 34.10.94.3.in-addr.arpa udp
US 8.8.8.8:53 oshhkdluh.biz udp
US 54.244.188.177:80 oshhkdluh.biz tcp
US 8.8.8.8:53 20.13.160.165.in-addr.arpa udp
US 8.8.8.8:53 yunalwv.biz udp
US 8.8.8.8:53 jpskm.biz udp
US 34.211.97.45:80 jpskm.biz tcp
US 8.8.8.8:53 lrxdmhrr.biz udp
US 54.244.188.177:80 lrxdmhrr.biz tcp
US 8.8.8.8:53 45.97.211.34.in-addr.arpa udp
US 8.8.8.8:53 wllvnzb.biz udp
SG 18.141.10.107:80 wllvnzb.biz tcp
US 8.8.8.8:53 gnqgo.biz udp
US 54.80.154.23:80 gnqgo.biz tcp
US 8.8.8.8:53 jhvzpcfg.biz udp
US 3.237.86.197:80 jhvzpcfg.biz tcp
US 8.8.8.8:53 acwjcqqv.biz udp
SG 18.141.10.107:80 acwjcqqv.biz tcp
US 8.8.8.8:53 lejtdj.biz udp
US 8.8.8.8:53 vyome.biz udp
US 44.213.104.86:80 vyome.biz tcp
US 8.8.8.8:53 yauexmxk.biz udp
US 54.80.154.23:80 yauexmxk.biz tcp
US 8.8.8.8:53 iuzpxe.biz udp
SG 13.251.16.150:80 iuzpxe.biz tcp
US 8.8.8.8:53 86.104.213.44.in-addr.arpa udp
US 8.8.8.8:53 sxmiywsfv.biz udp
SG 13.251.16.150:80 sxmiywsfv.biz tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 vrrazpdh.biz udp
US 34.211.97.45:80 vrrazpdh.biz tcp
US 8.8.8.8:53 ftxlah.biz udp
US 34.218.204.173:80 ftxlah.biz tcp
US 8.8.8.8:53 typgfhb.biz udp
SG 13.251.16.150:80 typgfhb.biz tcp
US 8.8.8.8:53 173.204.218.34.in-addr.arpa udp
US 8.8.8.8:53 esuzf.biz udp
US 34.211.97.45:80 esuzf.biz tcp
US 8.8.8.8:53 gvijgjwkh.biz udp
US 3.94.10.34:80 gvijgjwkh.biz tcp
US 8.8.8.8:53 qpnczch.biz udp
US 44.213.104.86:80 qpnczch.biz tcp
US 8.8.8.8:53 brsua.biz udp
IE 3.254.94.185:80 brsua.biz tcp
US 8.8.8.8:53 dlynankz.biz udp
US 8.8.8.8:53 185.94.254.3.in-addr.arpa udp
DE 85.214.228.140:80 dlynankz.biz tcp
US 8.8.8.8:53 oflybfv.biz udp
US 44.200.43.61:80 oflybfv.biz tcp
US 8.8.8.8:53 140.228.214.85.in-addr.arpa udp
US 8.8.8.8:53 yhqqc.biz udp
US 34.211.97.45:80 yhqqc.biz tcp
US 8.8.8.8:53 mnjmhp.biz udp
US 44.200.43.61:80 mnjmhp.biz tcp
US 8.8.8.8:53 opowhhece.biz udp
US 18.208.156.248:80 opowhhece.biz tcp
US 8.8.8.8:53 zjbpaao.biz udp
US 8.8.8.8:53 jdhhbs.biz udp
SG 13.251.16.150:80 jdhhbs.biz tcp
US 8.8.8.8:53 248.156.208.18.in-addr.arpa udp
US 8.8.8.8:53 mgmsclkyu.biz udp
IE 34.246.200.160:80 mgmsclkyu.biz tcp
US 8.8.8.8:53 warkcdu.biz udp
SG 18.141.10.107:80 warkcdu.biz tcp
US 8.8.8.8:53 gcedd.biz udp
SG 13.251.16.150:80 gcedd.biz tcp
US 8.8.8.8:53 jwkoeoqns.biz udp
US 18.208.156.248:80 jwkoeoqns.biz tcp
US 8.8.8.8:53 xccjj.biz udp
US 44.213.104.86:80 xccjj.biz tcp
US 8.8.8.8:53 hehckyov.biz udp
US 44.221.84.105:80 hehckyov.biz tcp
US 8.8.8.8:53 rynmcq.biz udp
US 54.244.188.177:80 rynmcq.biz tcp
US 8.8.8.8:53 uaafd.biz udp
IE 3.254.94.185:80 uaafd.biz tcp
US 8.8.8.8:53 eufxebus.biz udp
SG 18.141.10.107:80 eufxebus.biz tcp
US 8.8.8.8:53 pwlqfu.biz udp
IE 34.246.200.160:80 pwlqfu.biz tcp
US 8.8.8.8:53 rrqafepng.biz udp
US 44.200.43.61:80 rrqafepng.biz tcp
US 8.8.8.8:53 ctdtgwag.biz udp
US 3.94.10.34:80 ctdtgwag.biz tcp
US 8.8.8.8:53 tnevuluw.biz udp
US 35.164.78.200:80 tnevuluw.biz tcp
US 8.8.8.8:53 whjovd.biz udp
SG 18.141.10.107:80 whjovd.biz tcp
US 8.8.8.8:53 gjogvvpsf.biz udp
US 8.8.8.8:53 reczwga.biz udp
US 3.237.86.197:80 reczwga.biz tcp
US 8.8.8.8:53 bghjpy.biz udp
US 34.211.97.45:80 bghjpy.biz tcp
US 8.8.8.8:53 damcprvgv.biz udp
US 54.80.154.23:80 damcprvgv.biz tcp
US 8.8.8.8:53 ocsvqjg.biz udp
IE 3.254.94.185:80 ocsvqjg.biz tcp
US 8.8.8.8:53 ywffr.biz udp
US 54.244.188.177:80 ywffr.biz tcp
US 8.8.8.8:53 ecxbwt.biz udp
US 54.244.188.177:80 ecxbwt.biz tcp
US 8.8.8.8:53 pectx.biz udp
US 44.213.104.86:80 pectx.biz tcp
US 8.8.8.8:53 zyiexezl.biz udp
US 54.80.154.23:80 zyiexezl.biz tcp
US 8.8.8.8:53 banwyw.biz udp
US 3.237.86.197:80 banwyw.biz tcp
US 8.8.8.8:53 muapr.biz udp
US 8.8.8.8:53 wxgzshna.biz udp
US 8.8.8.8:53 zrlssa.biz udp
US 3.237.86.197:80 zrlssa.biz tcp
US 8.8.8.8:53 jlqltsjvh.biz udp
SG 18.141.10.107:80 jlqltsjvh.biz tcp
US 8.8.8.8:53 xyrgy.biz udp
US 54.80.154.23:80 xyrgy.biz tcp
US 8.8.8.8:53 htwqzczce.biz udp
US 34.193.97.35:80 htwqzczce.biz tcp
US 34.193.97.35:80 htwqzczce.biz tcp
US 8.8.8.8:53 kvbjaur.biz udp
US 54.244.188.177:80 kvbjaur.biz tcp
US 8.8.8.8:53 uphca.biz udp
US 44.221.84.105:80 uphca.biz tcp
US 8.8.8.8:53 fjumtfnz.biz udp
US 34.211.97.45:80 fjumtfnz.biz tcp
US 8.8.8.8:53 hlzfuyy.biz udp
US 34.211.97.45:80 hlzfuyy.biz tcp
US 8.8.8.8:53 rffxu.biz udp
IE 34.246.200.160:80 rffxu.biz tcp
US 8.8.8.8:53 cikivjto.biz udp
US 44.213.104.86:80 cikivjto.biz tcp
US 8.8.8.8:53 qncdaagct.biz udp
US 34.218.204.173:80 qncdaagct.biz tcp
US 8.8.8.8:53 shpwbsrw.biz udp
SG 13.251.16.150:80 shpwbsrw.biz tcp
US 8.8.8.8:53 cjvgcl.biz udp
US 54.80.154.23:80 cjvgcl.biz tcp
US 8.8.8.8:53 neazudmrq.biz udp
US 3.237.86.197:80 neazudmrq.biz tcp
US 8.8.8.8:53 pgfsvwx.biz udp
US 54.80.154.23:80 pgfsvwx.biz tcp
US 8.8.8.8:53 aatcwo.biz udp
US 34.218.204.173:80 aatcwo.biz tcp
US 8.8.8.8:53 kcyvxytog.biz udp
US 18.208.156.248:80 kcyvxytog.biz tcp
US 8.8.8.8:53 nwdnxrd.biz udp
US 54.244.188.177:80 nwdnxrd.biz tcp
US 8.8.8.8:53 ereplfx.biz udp
US 44.213.104.86:80 ereplfx.biz tcp
US 8.8.8.8:53 ptrim.biz udp
SG 18.141.10.107:80 ptrim.biz tcp
US 8.8.8.8:53 znwbniskf.biz udp
US 34.218.204.173:80 znwbniskf.biz tcp
US 8.8.8.8:53 cpclnad.biz udp
US 3.237.86.197:80 cpclnad.biz tcp
US 8.8.8.8:53 mjheo.biz udp
US 3.237.86.197:80 mjheo.biz tcp
US 8.8.8.8:53 wluwplyh.biz udp
SG 18.141.10.107:80 wluwplyh.biz tcp
US 8.8.8.8:53 zgapiej.biz udp
US 18.208.156.248:80 zgapiej.biz tcp
US 8.8.8.8:53 jifai.biz udp
US 44.221.84.105:80 jifai.biz tcp
US 8.8.8.8:53 xnxvnn.biz udp
SG 13.251.16.150:80 xnxvnn.biz tcp
US 8.8.8.8:53 ihcnogskt.biz udp
US 35.164.78.200:80 ihcnogskt.biz tcp
US 8.8.8.8:53 kkqypycm.biz udp
SG 18.141.10.107:80 kkqypycm.biz tcp
US 8.8.8.8:53 uevrpr.biz udp
US 44.213.104.86:80 uevrpr.biz tcp
US 8.8.8.8:53 fgajqjyhr.biz udp
US 34.211.97.45:80 fgajqjyhr.biz tcp
US 8.8.8.8:53 hagujcj.biz udp
US 18.208.156.248:80 hagujcj.biz tcp
US 8.8.8.8:53 sctmku.biz udp
US 35.164.78.200:80 sctmku.biz tcp
US 8.8.8.8:53 cwyfknmwh.biz udp
US 8.8.8.8:53 qcrsp.biz udp
US 34.211.97.45:80 qcrsp.biz tcp
US 8.8.8.8:53 sewlqwcd.biz udp
US 3.237.86.197:80 sewlqwcd.biz tcp
US 8.8.8.8:53 dyjdrp.biz udp
US 54.244.188.177:80 dyjdrp.biz tcp
US 8.8.8.8:53 napws.biz udp
US 35.164.78.200:80 napws.biz tcp
US 8.8.8.8:53 qvuhsaqa.biz udp
US 54.244.188.177:80 qvuhsaqa.biz tcp
US 8.8.8.8:53 apzzls.biz udp
US 34.211.97.45:80 apzzls.biz tcp
US 8.8.8.8:53 krnsmlmvd.biz udp
US 34.218.204.173:80 krnsmlmvd.biz tcp
US 8.8.8.8:53 nlscndwp.biz udp
US 54.244.188.177:80 nlscndwp.biz tcp
US 8.8.8.8:53 bzkysubds.biz udp
US 3.94.10.34:80 bzkysubds.biz tcp
US 8.8.8.8:53 ltpqsnu.biz udp
US 54.80.154.23:80 ltpqsnu.biz tcp
US 8.8.8.8:53 vnvbt.biz udp
US 44.213.104.86:80 vnvbt.biz tcp
US 8.8.8.8:53 ypituyqsq.biz udp
US 3.94.10.34:80 ypituyqsq.biz tcp
US 8.8.8.8:53 ijnmvqa.biz udp
US 35.164.78.200:80 ijnmvqa.biz tcp
US 54.80.154.23:80 ltpqsnu.biz tcp
US 8.8.8.8:53 vgypotwp.biz udp
US 54.244.188.177:80 vgypotwp.biz tcp
US 8.8.8.8:53 giliplg.biz udp
US 44.213.104.86:80 giliplg.biz tcp
US 8.8.8.8:53 pywolwnvd.biz udp
US 54.244.188.177:80 pywolwnvd.biz tcp
US 8.8.8.8:53 ssbzmoy.biz udp
SG 18.141.10.107:80 ssbzmoy.biz tcp
US 8.8.8.8:53 cvgrf.biz udp
US 54.244.188.177:80 cvgrf.biz tcp
US 8.8.8.8:53 npukfztj.biz udp
US 44.221.84.105:80 npukfztj.biz tcp
US 8.8.8.8:53 przvgke.biz udp
US 54.157.24.8:80 przvgke.biz tcp
US 54.157.24.8:80 przvgke.biz tcp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
SG 18.141.10.107:80 knjghuig.biz tcp
US 8.8.8.8:53 8.24.157.54.in-addr.arpa udp
US 8.8.8.8:53 uhxqin.biz udp
US 8.8.8.8:53 anpmnmxo.biz udp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp

Files

memory/3156-0-0x0000000000400000-0x0000000000588000-memory.dmp

memory/3156-6-0x00000000022F0000-0x0000000002357000-memory.dmp

memory/3156-1-0x00000000022F0000-0x0000000002357000-memory.dmp

C:\Windows\System32\alg.exe

MD5 bc0a481919cca9ab9205e117fb95e8d2
SHA1 b0694ce8bbcf45006c9013f73c922a25300927a4
SHA256 f54bf0d727c1866438848c83953820b52e68f7ddc9710fba4f714f13c4b8e4d4
SHA512 e1759803768aac3780757e1b249f268d51c6380b1ea568eb76c6fb5c27415a49c8ff4d3bd2c73a436c302985f9dfe3922c4e275c821c60ddf433f584fa46fa87

memory/5100-11-0x0000000140000000-0x000000014019E000-memory.dmp

C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

MD5 bd16f5784f98452f19262472e215092c
SHA1 3c0ce8ecb88b639834f4e8b86a35b906aebfcd43
SHA256 bff6057100f0f138ccfce8f860c809829814543c5bc8cb4117bf9601c6415214
SHA512 3f1e39aba9147998ae362e90c761f32c0b272c798d5633726269806991825492dac9eecc59fc4f2ed55645d40c6f5cf71f4cb30b9fd617923c53e6f6947a891c

memory/3772-26-0x0000000000690000-0x00000000006F0000-memory.dmp

memory/3772-24-0x0000000140000000-0x000000014019D000-memory.dmp

memory/3772-17-0x0000000000690000-0x00000000006F0000-memory.dmp

memory/3772-25-0x0000000000690000-0x00000000006F0000-memory.dmp

memory/3156-23-0x0000000000400000-0x0000000000588000-memory.dmp

C:\Windows\system32\AppVClient.exe

MD5 e39927634101fc32b9c0a9dd9847e29b
SHA1 32581ecf8bd94cf6a068638f582f2d3d07329704
SHA256 c04a27f46f4631d3a00808e00544347f766e00914cc77debd52ef90b38072e8f
SHA512 0b847c26e013b0b8adcd0f17f57a01b24a7e6048a01a1b576d6e21ceb427a352fb20a60f917f6db2cba12a3d3db29fd1d8bb56bd4a7299f461a8d04ecf3e8e68

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

MD5 e2ad230305c8af2592230a6abd966c85
SHA1 71a9a15974fc1988e08f2e8a3c51f8132bfb36e2
SHA256 a1d6784be297b1fccd96796c5f0f886a60dbbc36f2b2efb5a77c9e282719c39f
SHA512 a20b9df720cb5f97affb09b9718f895e5c34fc2575d39873a3330fb057a5908c7368e9cebc461b03444a1df2d978d29d52da7dc32e50d5ab9725c138fce1fb77

memory/2784-41-0x0000000000740000-0x00000000007A0000-memory.dmp

memory/2400-50-0x00000000001A0000-0x0000000000200000-memory.dmp

memory/2400-44-0x00000000001A0000-0x0000000000200000-memory.dmp

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

MD5 f0871da5a2401467c05e2142fa5714a5
SHA1 1a5031290f1db107c0aec6566609da8be40ff807
SHA256 3a3e685d26ff3cc7bdb3b19792b7904e480fcd978aae1ad21b4436aad65b9d36
SHA512 8d76cd9610d3711a1c9a6a9cbf1164a19435303a44205ff95773b12861fcc073128f99a71bccc72aeebf93ddf1bb0f5b22d24d161de0b8a5bc6ad11f980698ef

memory/2908-61-0x00000000016A0000-0x0000000001700000-memory.dmp

memory/2908-64-0x00000000016A0000-0x0000000001700000-memory.dmp

memory/4828-75-0x0000000000420000-0x0000000000480000-memory.dmp

memory/4828-69-0x0000000000420000-0x0000000000480000-memory.dmp

memory/4828-83-0x0000000140000000-0x00000001401C4000-memory.dmp

C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

MD5 97425bb7021d2d38188c5670cdc60e3f
SHA1 73ff224a00ff8773865c977da0b67620643fb61c
SHA256 e1c1ba57f8a22d5c28f6760338591a16b9449879b03fa6fc3df7ba0b84feeabe
SHA512 733ee1f16c6a23ce6077a0b7621ed4032ab7177c3b32f71237cc400504de18bf98f90c7aecaeb004852df4ed88ea6bd0f6ce879ca3e28144debdcc72c2a55f69

memory/2908-67-0x0000000140000000-0x00000001401C4000-memory.dmp

memory/2908-55-0x00000000016A0000-0x0000000001700000-memory.dmp

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

MD5 0484b99c05220d6650c5a6fde3ecfa2a
SHA1 90588975dc5c98a2f3d6274bc7a22f31304fb39b
SHA256 e05acddfc4256efaf55c5e92992a39e3db89ac0a761e434e0a39f92189171869
SHA512 128cbaacf94f27c16b49c9fb2a9716ff1fd0cbeb42651edf6f1f1c60ac2e43e8530bd55eb55f2d11e1ba1f5ea1cf43cbefa622ae9219982f874f649e4703fca2

memory/2400-53-0x0000000140000000-0x000000014022B000-memory.dmp

memory/2784-40-0x0000000140000000-0x000000014024B000-memory.dmp

memory/2784-33-0x0000000000740000-0x00000000007A0000-memory.dmp

memory/5100-236-0x0000000140000000-0x000000014019E000-memory.dmp

memory/3772-237-0x0000000140000000-0x000000014019D000-memory.dmp

memory/2784-240-0x0000000140000000-0x000000014024B000-memory.dmp

memory/2400-241-0x0000000140000000-0x000000014022B000-memory.dmp

C:\Windows\System32\FXSSVC.exe

MD5 2a2bfb45adbe75037e3c79e96e772a05
SHA1 935b9b443ccf7c35c6ca527fa171d2b50293d5b0
SHA256 123f804904cefb6855f12c28affc73bbe0461ba7ede16b2b6c2797a1f3e07f2b
SHA512 e95ecd5e1e1af2f11af01940f02bb4161d2f8d48c466a8259b3dbf838224b98f0814e3251626b1f19b9bac36bc6ab3f91fadb2ad19c737148ad94d1b6f7a3afd

memory/4748-246-0x0000000140000000-0x0000000140135000-memory.dmp

C:\Windows\System32\msdtc.exe

MD5 b522de52173f8f2f7ca1e8f763f4f171
SHA1 3462cd608ce20e4237a882eb15853aab8ff4941f
SHA256 980634228f2f97b13130376f4a1f5e01004a622fce6be960147105f4126800f9
SHA512 b9fc196957e2d47393a56e98b841b9ff87f3ec308e47f45fdb011bdb60531082dfb3675bdebe4529a51d47e4f6943385d6057d8e08115843338be67a7eb2d355

memory/4748-249-0x0000000140000000-0x0000000140135000-memory.dmp

memory/3504-251-0x0000000140000000-0x00000001401AD000-memory.dmp

C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

MD5 50133c049dade82c60fb0713cc0f125e
SHA1 eaf2ff667df0bd0b2b7c416712479f444647639c
SHA256 f483d72b3fa13171c74fa7892ae99ee9c20dfb2468dfe079dcda23c00774c40f
SHA512 80a7eb5e221d441784448d83da120b859c4108fdf4f3a8b663385bed294f78c750b8d871aede91b5d84d96942971ae59128059e28be306520eff2e4e109b4b27

memory/620-258-0x0000000000C00000-0x0000000000C60000-memory.dmp

memory/620-264-0x0000000000C00000-0x0000000000C60000-memory.dmp

memory/620-266-0x0000000140000000-0x000000014019F000-memory.dmp

C:\Windows\SysWOW64\perfhost.exe

MD5 a59ba1b6c43e9e65e1c443ae0b74ab8d
SHA1 98b82e3011b3c0906457c2a88d45cebe951b52b2
SHA256 37ebbe2e88ec63bfa01b9562613e0da4283c6c03425dba22c3e12c4f7bd7437f
SHA512 d220a9d561b99ac6a7d04470b06d592908c709e7186ae63f9e15fefc46fd6ab0393deaef0183294185a6ba9360176b33a201791f404110b71c97289b31bc0907

memory/4336-271-0x00000000008D0000-0x0000000000937000-memory.dmp

memory/4336-269-0x0000000000400000-0x000000000058B000-memory.dmp

C:\Windows\System32\Locator.exe

MD5 57c70925ef0cbbbc88ccff3f917e9d0d
SHA1 b1f158d0a47ed42f9536c3adb4a2ce0795dcf092
SHA256 623f64e2908a8f0ae348599b153e7229ee33f269fa04652504bc20769df6e7fe
SHA512 0bb146a030c443981a555d9f583b77d839771f7461b7a88646b7a354168c936060d7f89535e7ea93ef8d545d00910ffd0a961f710656cf0a035726d0a2aad74f

memory/4428-279-0x0000000140000000-0x0000000140189000-memory.dmp

C:\Windows\System32\SensorDataService.exe

MD5 932be1867a5d8e02dbf630bc911697b3
SHA1 fc570e859f58fd85cf4e81bf6fd587e547e4133a
SHA256 e68e9f81e5bcd357001b0350e958b5ed40dadc31d34b21d0481cd67911a57b88
SHA512 89dfda5ef37a958f523f803df4b989a39200348168d3d82c369005a0a55fa51ec31f48e283e383fbb22716ac4c62fdba4d57599a37834a37edd858447540d51a

memory/3208-282-0x0000000140000000-0x00000001401D7000-memory.dmp

C:\Windows\System32\snmptrap.exe

MD5 e0ba2bd894f3e7b91cb3b8870dc2b531
SHA1 c8281ec3901a896f4a55b5dfe79fd97eacb42f1e
SHA256 237818a919176747846041a85c5c12d07ee36592e7e805fad5a9624e4156b3fc
SHA512 e5d220d2ccefecc46c8b77d5e722c98a7cade3ce3dc67b63a58c503bbf376f29e2a424a861cb926de6be54fb4485aa0ec05d38c2b5a28197f86c9ad226c924ff

memory/4036-286-0x0000000140000000-0x000000014018A000-memory.dmp

C:\Windows\System32\Spectrum.exe

MD5 14adb4941c5e0a9cdff22bb65e857ea7
SHA1 822b65eba67febf4c2812460e7eb9901261a9e50
SHA256 1c68510b7e242a5366e38991c782112607f9ba3f01a345d10116705249e94011
SHA512 03960cd1fd80b4676acdde03aea03c9c32c3260c8f1b9f2c561ccac5a278a797718f036b30700ab608f7b246cc363966a1218f12866e81aa2c02088a3f2f9d9c

memory/2060-289-0x0000000140000000-0x0000000140169000-memory.dmp

C:\Windows\System32\OpenSSH\ssh-agent.exe

MD5 6eea05f9e8d89d5b0663c9c703f39c9d
SHA1 b1e70e8c34de71d5265f74014843c6fe03d96035
SHA256 a12dc19cdbd0965b4b71822c35bfcca146c271995bcc1f17e03237e12cfaa81d
SHA512 e83364306472c963d5ce7123dcf872fa0f2a9bc466ccac3649d3a5cf3c0debe5479ac20b38a258ddcc115af0099c348a7fb39918b340f157e934bde88682325a

memory/2360-301-0x0000000140000000-0x00000001401F7000-memory.dmp

C:\Windows\System32\TieringEngineService.exe

MD5 fd843bf75fe14d2aaeccdab3efc6fc57
SHA1 47355a48c2b864c5602f4bc22a606d0ec4c2139e
SHA256 c784fc213d2046a3de3f98b550b61f15b4d7be44cfc3e37388bcb28c0d45894e
SHA512 148ca54c9e25dbcf5d79005b5a58a91e0c51be9145550343647944bd5edb63da9512cb0af2f71891b2b9d96610822e19f5b6fba5d3476ebd3f6928ee9623b849

memory/2160-312-0x0000000140000000-0x00000001401D6000-memory.dmp

memory/4508-315-0x0000000140000000-0x00000001401C0000-memory.dmp

C:\Windows\System32\AgentService.exe

MD5 04fe1d082a73efd593cd574ceb842449
SHA1 fa4b08aebc7226a9762a5bc1a42d6002192273bd
SHA256 e024fffa8cd1d62be593ad58db8d6ebcb3bdbc532b54783341128a9379dcd9f3
SHA512 778c9ca5d3510a0133cccb3bdb2d5ba0d23289438ff6b243ab4fcf54550207f2b995680e7eddc1c389a94a125214283da25aed152f2ec8dfc7e7b7127a5108a9

memory/4508-317-0x0000000140000000-0x00000001401C0000-memory.dmp

C:\Windows\System32\vds.exe

MD5 1135c443803f0c651d1b08903063a212
SHA1 1ecf87221d35c5aaaca96124bc2cac59e3d51ed7
SHA256 52025a9c3f39cf9cbaf9f10e6fc3c2f4073f1e3e884ffcc6eeb64f7d6cbc806b
SHA512 bd1e7e97f58edb3a52d75d6e1a4bd2dce2ce59b4ee9047daf51357f3582eea7a3ad8df469125b622cc54c90198dd501bab564301ac8efc6e2e5d5f80c867a9d0

memory/1612-320-0x0000000140000000-0x0000000140147000-memory.dmp

memory/3504-319-0x0000000140000000-0x00000001401AD000-memory.dmp

C:\Windows\System32\VSSVC.exe

MD5 fc2b1b9137d8a6f2dbe5cad347fc4f64
SHA1 c34f8b9bb9d6a48243d73a21b4b6bdc54460f52d
SHA256 9e18b743d4424217075752d80ef1d67315ed292e463172e26384aff71284a0c0
SHA512 0d27575ac6388f737279d4e0047486922f3be0d09209464710c64cc3bd670b3aabea0cb04ffe08bc5ad20da6139f4da6ee57bcb3e54f70905de95165ece32f45

memory/620-323-0x0000000140000000-0x000000014019F000-memory.dmp

memory/3468-324-0x0000000140000000-0x00000001401FC000-memory.dmp

C:\Windows\System32\wbengine.exe

MD5 bf6563d30c207d86d8166f860b422912
SHA1 ae94220a9068d7701d99ac61a492ccc35b6b5f6f
SHA256 172752d3d78e638dc5d6f9afca123db62ca3803623dcd11ca7b71b878782e549
SHA512 47c9f7f73ea06c3a7874a092e15dc1dbaa1a4b66b87472c864e067add95d19a61017d624a8439dec205a8cef67660f8ccbd2aa535690d0d5fef3a2f065123f76

memory/4336-327-0x0000000000400000-0x000000000058B000-memory.dmp

memory/4340-328-0x0000000140000000-0x0000000140216000-memory.dmp

C:\Windows\System32\wbem\WmiApSrv.exe

MD5 24767d7c7a4e0e6aa7dc7722d2912a8c
SHA1 b890a428673e690565971bad51f0ffe7488941d8
SHA256 c991f30d7f1a256c22cff8bdbbe1eccfbbf16ce30ed678818737e4eefea5c94f
SHA512 55f84097e48803d110ab274138a5ed1189d3663324b98a9f711001ab2dd94a7e8012f01ea555ad1b76c86c074caec2cdbc2cba42e3b8e8699169b34d967ea29a

memory/4100-332-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/4428-331-0x0000000140000000-0x0000000140189000-memory.dmp

C:\Windows\System32\SearchIndexer.exe

MD5 dc749116fcc1f33cca7516a961de1ff9
SHA1 a828b278c50ec6cfc0b83ddc9c4bdd65f029c508
SHA256 d41906e5292e720e22cc1cd82735ae758aa5aa9fc5f284ff98276c662a3b7a19
SHA512 5276b7c92412e66f4c2f306565b30a2d3c9279105d30ca0ca95cd2982ce5e88658503a8b7767a2edb413e72422eab68617105bb53cc18c7315a06bb08f854b92

memory/1096-337-0x0000000140000000-0x0000000140179000-memory.dmp

memory/3208-336-0x0000000140000000-0x00000001401D7000-memory.dmp

C:\Program Files\7-Zip\7zFM.exe

MD5 795aeae4602e1cb4fc8a710a5de8bc4c
SHA1 8f99cce6e05551afd3e3d56c8307f283e7a8a0c9
SHA256 12a2d9ccd4d998f3671c55631ec582d03a4b05cec3f4298554527b5c373b76a2
SHA512 3b05eb30ba33038522e033234e20fc0a1ef462e1c5b80847633c6885d69c5081365f472e727d5f49420d4e70c682080bb0bf183745f756fb370dd9cee57f3fe6

C:\Program Files\7-Zip\7zG.exe

MD5 76fbfdcef66b19afa8b3c35d4aff60bd
SHA1 6dd912405405fd02b8e54a05986495bf6dea1f80
SHA256 cb79a93aaaf7c97798ed48d2331a28a566b1e508f220043c14996252c3211f0f
SHA512 30ed9f780cd7ed82a558123a0984c5140be6424b9a0ea69c1d35429b12b28e4b8ccbf3baba4ae121d69bf04a6c235a0407205e2be0e88a133f0f8603e841dbf7

C:\Program Files\7-Zip\7z.exe

MD5 2231c0c17f9646b272d6fb621b8319f5
SHA1 7812f69237c938c57bb001b5b9aeaf5f39eb2919
SHA256 efcd55e8e2cf64cec6c90404e49c2245cec94b2df1e0a3545b15683fa59835bb
SHA512 6862fb90a7395dce7836676a118f5c73c8ce8f6821dc3808a86c5767e82324521062f8ac25e8c868aa8172bc9ea3fbf1b30df46059b990c46e5ba46dbf70a910

C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

MD5 347d6682833f664457b6f8ba631cf71c
SHA1 d48c81e60ae9b9003e5af1c890f07fc13c190253
SHA256 3378e5643ccb57e8539a8603106e2914f71553ebfaf64e1464d51c0168670d24
SHA512 2cb3075151966c1e39987115bd1da80ee421d9711f59abb1b0bf08a18f8c702765c90761575ea84b401cbba392545360e4054ca6f2204fac75688f7e5b2f1e8b

C:\Program Files\Java\jdk-1.8\bin\jhat.exe

MD5 f5d71e90c7bf4fc2e53652aa9cc2fb12
SHA1 e7127aa99fd14f00e54178b95dd508f7b40768f4
SHA256 bbdcf11f4c45bec4477c07bee439b217bdfc6039288a13bf2735baf96babe582
SHA512 9f0120937217c8d70f1ebc4dc6c6a17577d33ec20a7ea15a7ceb3c7720a1a406705e3edd5fc1b46527d5b9c72b8db9f397f57425fad47a911b01ad951d3fed18

C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

MD5 f7b05a3d17ceb417183f92b34d420870
SHA1 ad6e14447505dedbd2969d585c8a074bed7f3746
SHA256 48e6ec1e7a607555199fa3ed3b6fd96323c3292688d4fcc973507393c1ad7454
SHA512 62e1f46d311c77ea4ca021a6c56fed4b9d1d273d4966ca7a531b9c213cbffc2ff077fcf06c40804e23dcecdf2f4bc4e4cee275f0fa8784d8e608f12da4e1bb4a

C:\Program Files\Java\jdk-1.8\bin\jdb.exe

MD5 8bc655625c60d79a90db7c8fb6b6a052
SHA1 20e9ae24ea7b1247e0e3604f2550b470403253a3
SHA256 8897ac8f8e9bb6c572405f59fd6b9856066f19f368dc246c2659c04192a45b10
SHA512 3ebe2260ddec542fad1742efeab15664632e4480c075bcd3f9b6f7cd2d67c39c0801a115ec8bd0c45c76defdc8bdb7161d51a509e151a2d699fc241daacd09a8

C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

MD5 a501905c5c5b3faefdb5de1d76c92e99
SHA1 0b6473669a793cb93fcd1d5a6f3ba9806c4689f1
SHA256 31136e13fbc3881387b0a8d5a41fa21ae62127cc432e0c92d7132131fd56585e
SHA512 9fd05f680847abddec4a583fde088765bdf1d7b330edb2f9fb2f43fb7cbfd317718f80bfa75bf1a54b11a6e14a349f9d9fdb166af6b71dd2b2dab5ca66206472

C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

MD5 c9dc701491949d294bb3166c9b13472f
SHA1 ff199d7f54311d440af174e792ece5d0e23f86ac
SHA256 b8a7108ea6d8b9c95aa4d4690804d026b0682a2f874d9e7103d3a0a3aae72041
SHA512 0a20c2e05f761f3f9d0a6e27f587649f8a6cc46e3d805d42890f0ebff1c89deccd20db898b93463094454b252f1ae57cb8d01895d10b717e9488c6d310356a1e

C:\Program Files\Java\jdk-1.8\bin\javaws.exe

MD5 13be89de800d47ad672b0f7c378199d3
SHA1 ed5513040264e87896a49a71c0fc91abafd81c44
SHA256 05b2dc127de282da57077bdf2792f62cd93fa8ca1b42f6c9fa03285abb719863
SHA512 bbf9f563f5a9b84f4fc534fd294cc2d48657736abeca627a3ec6d7485c995d9575a2685c5ef8c85b6bd2b51d51038006ca375e8132fef6b835577b2b846ba041

C:\Program Files\Java\jdk-1.8\bin\javaw.exe

MD5 365db16e8ba9ecfc6c0f2015ffe23d37
SHA1 b44a8766509d73e0817763d0c22c16835766023c
SHA256 7b7c1b53ff2d228fb688e251b02a8127d4491c31fdbde29b68d9ee4690f0a0c4
SHA512 6cf5f4ba8a453963810fea031b4dccb6e8a1a835cc682ec5588b428f195468ed8da9036d08309586772439d125f1bfc09ad75b90380ea44ad3dea4880f39c3d1

C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

MD5 59530f034bf8f0ac22d1ca48af7f2133
SHA1 3291838da4590bcb1a93d67008f17d5784d628df
SHA256 caa2a990c0a51c8e2d323d6c8d5a7d7e9bf381d5fd173138351de791faecc987
SHA512 49bab9ad0bc5d7d57c03f47b25b37e461fa253838fc1915509b841af6aa1193b423c9c9df591065eb8f6a85d1410aecb1fae128edc5daf251714d869930570c8

C:\Program Files\Java\jdk-1.8\bin\javap.exe

MD5 2951113b8cb6b0b5200e5504a2c01863
SHA1 8d618b59e5dfbd9577e7ef9682e313010398cd26
SHA256 527a5a562393ba6e298e974861fcab5ad6dacf149ec6c4e3a3e61f4c57eee098
SHA512 661bf1c43cafa091d81edb3c2d06a58962c4412015d4f4ed1a61bb6735bc7b0e427a4031aebfee6792f70eacc2493e86790b851f44dca52c3908fe64c6d9d279

C:\Program Files\Java\jdk-1.8\bin\javah.exe

MD5 b419bd9e4deba7ca9bccc8e5464c2ea2
SHA1 6b05b200b01e27df0bfea7a215f99cdc430c82f2
SHA256 03a9940011e201ab11aad1573c508aeb80ead158bd62326b52316cbdf9785b23
SHA512 78e9320983f2274fc64c58ef7362a632fdf0884dce57bc3267a9722f77abd04ea06fd4040e16bd684fc2f790d25d76e69c9978425186f3333d90b69a09050b97

C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

MD5 ca811f4be6b45620be48c6fd60144513
SHA1 c2c14a0560d48cb360de6edb2e028191ac42b218
SHA256 8de3f9a850f4dc7ccabf0c55d9e69232b0d440d1ef5eebcb38eae57047e64c4d
SHA512 a34ee179128cb5bf398f4645d2024f06031ce3eda5a140cc14848ab521c7ad591f0ebbeda442dac56a872431080ef1ef0ff210b9a474dc99c50bcaca8a7a4445

C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

MD5 59ee89b43b75add7b5788e64cbd78721
SHA1 4ecf5912df966342ea0d94b453f8edd51d6b6ab3
SHA256 8b3f2e851d49815a982ba8557df732605d6e153c8e645b966cc734f66ea0245a
SHA512 09cfb82d1b0e7f37430bc38189787b3a426b6634e603421b8f746dcaa99a88416b96cfb6d7dcaf282aee92a887836315aef3500ae1c6fecb30f5949154b4a5bf

C:\Program Files\Java\jdk-1.8\bin\javac.exe

MD5 d215386b931757fd7684775c5eead91c
SHA1 2e35fc351f614523da981eb8e2c3f66f86cc1725
SHA256 c8c9d28b4d88b2e5c8ed0977bafef9f4083604d6b753e21ef3a0cce4f68aa385
SHA512 2264021960a6a95b6c551b04e7d2031dfffbfb012d683f9e802dc9a035c7ba185cc7beb6e9b66f73e71ad45b40ecc35a7eaf44d229ba5ae5dafd85bc596db0cb

C:\Program Files\Java\jdk-1.8\bin\java.exe

MD5 d4a81751f3e4688495400e99f0761583
SHA1 645d556b44a1141829bd83830c573e18f9e29b9c
SHA256 283c0e056a3ef9d2253185e467bd6050653d4282582356930421d72e21d76972
SHA512 2375f222fdc09f3d45c4366b1e8621aef4256658a98173b6a4050fa4fb99ad78e71f2b3ddb28fbe9875c9a6268a02758c2234894a43dbb54d178891fec614330

C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

MD5 56914db14a3707a0c813530f3111bb16
SHA1 62da07be81327c6d451be215753689373d732261
SHA256 7cfc10e7ecc8c5ddbfa700faedd6cc8235afc4866253a846a5823d025fef1414
SHA512 c4b6744c7453423c4fd3222665747700ebcc346fca5942797e286b6173aeb573c679924f731958172c635040929e46f0b2901adc156d3c939b27d8a1c439fffd

C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

MD5 da2e04231a603cca93391a5b9522feed
SHA1 18613cd5df8f4828efaad969b48f65625abe638d
SHA256 4ccf30b15c0c5126a41c83e9b4a8e30a394ffe6baff49f5d43018fe61f8e0b00
SHA512 261255c6eff20d1df16139cd2b2faa687db2e66a99ce656a01dc727f7bd8e33b4802e4fde0a9b69ab1dd83b6fe0cf0fd6b90918153cb80e5dd828b655fc67eb3

C:\Program Files\Java\jdk-1.8\bin\jar.exe

MD5 b1c57741acbbdf2d5923270e1f5f21bf
SHA1 7f34124a39b2f74c052d813087647dd31833430b
SHA256 00007f296ac8d4ee4a9869df7ab2ae792f94c40a09120950db30d84f67a76000
SHA512 8c74bcf521c9048f1495b04098b8cd159aa3d0d4df906f02537e007d964368aa98725aabecbe0a1ed614da385481932668339dc9e28e7f58702284bc8225e034

C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

MD5 d1a002e20577f3da882f7c15df1c6d08
SHA1 f4d7588e0ad1e0eb9c9bb27334d44d90241f1226
SHA256 7dfd2eafe60ae6678d878471ae3879ae1b308d58bfc97c1a717e15b1e525089e
SHA512 df96b44a079cffce5dbeb11e6590b2b62d975e5ee199d48dc21cbc364df616868127d30877b4713c336a5bdaadbbece72138cc53b833889cea4d6d4e95a5e939

C:\Program Files\Java\jdk-1.8\bin\idlj.exe

MD5 1c2b79d0cedaa729e3bfb03f3deef41c
SHA1 5b5e8f9f280b375487cf0fb8ea400cd4c02a9521
SHA256 5734c789ff551ee57120fca64877505776f77fa610b73f9620a9ff4b214696a4
SHA512 021c767e94735b1e0cf6a44f3291ee7974dbde12f917787915c33669170443138e400cdd2818c6e10d4e333cdc08888dfe2e99fe418cf9b29ccde1e44b0c2486

C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

MD5 f5a17969745b001cf91aef4876fefa91
SHA1 82204d6c0a65429c8a0f09df31739525dd9f462f
SHA256 3ef73779cde26c7974d7ad944f970cfaa152d82ffd68c655fa791c3da64138d3
SHA512 9557508245a2ae2adff5630a8adea7b723f41a846e647d43f53dd878696ed9fc140636c695e935b36e814f625628d569d3e72a128e2abcd016390d9876184e95

C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

MD5 089bf21e074072ba19f135c17b0aacae
SHA1 c52ffb84800098ae542e1e6ee563a2a5dabf02cd
SHA256 828bedd194c4231040f0ee2fd15344e6f7f0bd42a4cbb8ba0a8a52ae0b27ca5e
SHA512 c8fbae3ed7d15ba4e7bc7be771ff4c1b0bc149bb5084f7aea527c1c72f6dafacc595d25376f54b67b5e1f3af80ea29b50a1fc91756bb33a49a3077537790fa20

C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

MD5 9cfda6240408119e43e835a0455df017
SHA1 8debb0ac79449e9aadbbccac94f60de2f71a6362
SHA256 6d9d31a4dd3ccf17ea2e7588be39e023ffed0279ae1bc678861b16bcfbe1e5e4
SHA512 4ec580b155bff61b5fef6a8ac3fe46accdd174c9b647e50227f04bbc479992c579fa9ac5772d292819d6638fd70106f2925029fedfac6754df00c6a7524af1a3

C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

MD5 1650df4b70fc65e24ffe4b9c09047692
SHA1 aa521a59adc829a45d6c6677e3957c987fc7b758
SHA256 10c65b75481f9aa8c1d52cbb1c2ebef8c113a0fc648238ecf0f53ee6949180d3
SHA512 40a437e7a1f51e3b821ec5b6ea3ee1fc4394905c3629aee00e2cb1f3b000f72bd90426ff7aad8efa528498de1c6bdbe21be593c60e8718ebac4133c7651b7ab7

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

MD5 0ce98afa1448fbc6815a306d17c29ba0
SHA1 ee1eea39564070df6a31c1e428f01baa87fd1f62
SHA256 45a2628af8678e66c191e3e219428af360ff51a6c96035ce7ad991655a34b988
SHA512 4cd37791630de10a7122872b11f9f5c140e8c17c02da2ac3b35f4a00e4a5eb6374b3a225347b2d552aaace7c37ab1878fa688fd35715d72b9ca78590823a318a

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

MD5 4243f27eb49c0898ba733f7d09e13a31
SHA1 d78244a9cc7b3dad5efb93cf6b9b9cbdad476ff4
SHA256 3bf2a76a359acc07df0da02136e06ea6c57660e1d8d3ff150a63e454f00a888a
SHA512 92b7b2df155925dee32b95c6599284a4fcaa9e10442e5fe70c883b3d425b2c551b73514e7767dc2e505c2f82b3e2659f91b2f46102d56aa858cd05f4773cc352

C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

MD5 f537928156f19da582be23935227a1be
SHA1 afd2cf80ce92f65a4ecfa232382c6f68845dd195
SHA256 0dc1bbcfb82c389e102b6045bde93f00af1961d6203ec7fa5a154d262602bf94
SHA512 779c76d85a7efb9ce7b499bfaf9aff2354893ed890c4b363141442bcea2ff41803a5b4d77008cb3bc534d34483f0c7b98724a153ce69415f06832528d50e72c8

C:\Program Files\dotnet\dotnet.exe

MD5 6bb371457f2d5e7090d91b4cc83bff39
SHA1 20d546adf762cc010fb3d0f71a455d6e82d63e60
SHA256 3cdb648e85222dda6eded607ea1eee8bcb0177828af00eb454bca08f8c2ea250
SHA512 263b897a6385e643640b4568e8ff3c0ee4b7dbd798cbf42be3739d96925fc216ca6cb1fccb6dae455d633a30f8418c2658e671cfe30cf65bf5942ab5d7f54190

C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

MD5 f0b0fa71f91c7c8b552a0ad76ca22b58
SHA1 c2c47a7f5e7d05407825837d6cc209d827ce3e25
SHA256 545010abde517637b0592a8d2e24de28b973e5aba17da130359b80285d76732e
SHA512 66ffcb9b44f2c2a3093829122d60fe9ab33af84cc77cdf62f645a09c873302246eda522c8f8b1a79e4b6a86df8b30d7b4e48f6eb0173c6553469b0ce25b364de

C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

MD5 ce6c744cbe4c9216f0685659f5b81035
SHA1 bbf91368a3760021f46fc6ad7936978d6194ea1f
SHA256 f145e4e705c6e0ff9061f8f81bbf76ecc62900c9df6733d443dc3e36e35ec829
SHA512 7cab44dd14e9b1af12fcf9c402af9894e88f3bb2e58912985f4747f45bc4e5aa003c64d9830729a939618eb2d9bfbc5c25621cb15530113f02fcd8db79af9b76

C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

MD5 a68a57149f91d87f252fd9ccf99af29b
SHA1 db99a09c606087a4b28bb485ee36115b7dfb0b8d
SHA256 e23f28a3f33dc7431731a7dcbd4f7c279d2ec500437844ed5125dc25b45ebc12
SHA512 6054d75b563ac90f14b15d81964a84cd2dab57f4018695144b64f3dd72691f39482742ec4088d5d4dff4da40a246287affba9929cea6a0a532c4a9d190700f4f

C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

MD5 45ed80cbcfa88ec852bb6a4dcf623c3e
SHA1 c944692afb47cf4694e38639443d311220954cc2
SHA256 b918c08119aa46ba8bffaa2a32a7639e7cdb51adb1e6f2575e6ad89b5a8c07fd
SHA512 4a34e879d8de14206670c760c5af571fa5d843b01b7c90fb6f45cbda710197734a3d09a936707977b8fd5bc429a8b918477b1d49a5d6c61915fee4a0f199e002

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

MD5 97b0e440e50cf46eba3112841d83aa74
SHA1 7f36f11182f3acb8a0d15fd831f804d1d007d1ef
SHA256 227a809136fd64783f5abfb8e04d7b78bd074136eaa17b3ebec939c83d5bda52
SHA512 d74beda6ebe44df3b42bbe778c0a1b609d5739f8126b8f073800ba6f12b5e67dd9f6057a2b1a657e35052c1ce1837fec32f7c0b6f8247865da0118e961873da0

C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

MD5 4343e8b67eee94885c97baed1f25767f
SHA1 7376b97c272047e7735d0a09ec52a11c6bd4f8f7
SHA256 eb1f59647d134560ba1527fc5a885d9a901f0dd582d370943796ab2470f026c9
SHA512 0d3103ccd12592863a3e78031803a8785b3d0ac5054a631e80af42c132f37c0b681faedac5bc9d1e20a18d9b5381afe6a78f7ec0a20bb756d73db130c6aad5a4

C:\Program Files\7-Zip\Uninstall.exe

MD5 51598b3a4cc44a056d19529155191956
SHA1 dfc1872567374e8c56d0a17926790b6683b537ce
SHA256 e8869c484ed0ef49b58c4719f6eee8f8ae8de3fba82d577c838db55458872911
SHA512 21f6270325d3ae0e25ec09880a3ebca8ed17add58bbf994c3cb802ff9cb9584b08dd9f1fa378f795057365e4c7454ae36e192d8d182e6a5278d50f3557738f8e

memory/4036-442-0x0000000140000000-0x000000014018A000-memory.dmp

memory/3208-527-0x0000000140000000-0x00000001401D7000-memory.dmp

memory/2060-528-0x0000000140000000-0x0000000140169000-memory.dmp

memory/2360-529-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/2160-530-0x0000000140000000-0x00000001401D6000-memory.dmp

memory/1612-535-0x0000000140000000-0x0000000140147000-memory.dmp

memory/3468-536-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/4340-537-0x0000000140000000-0x0000000140216000-memory.dmp

memory/4100-540-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1096-541-0x0000000140000000-0x0000000140179000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 06:06

Reported

2024-06-03 06:09

Platform

win7-20240221-en

Max time kernel

120s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9e0aa12eb15ee73fc31652d21e4310a0_NeikiAnalytics.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\alg.exe C:\Users\Admin\AppData\Local\Temp\9e0aa12eb15ee73fc31652d21e4310a0_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe C:\Users\Admin\AppData\Local\Temp\9e0aa12eb15ee73fc31652d21e4310a0_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9e0aa12eb15ee73fc31652d21e4310a0_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9e0aa12eb15ee73fc31652d21e4310a0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\9e0aa12eb15ee73fc31652d21e4310a0_NeikiAnalytics.exe"

C:\Windows\System32\alg.exe

C:\Windows\System32\alg.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Network

N/A

Files

memory/1956-0-0x0000000000400000-0x0000000000588000-memory.dmp

memory/1956-1-0x0000000000230000-0x0000000000297000-memory.dmp

memory/1956-7-0x0000000000230000-0x0000000000297000-memory.dmp

\Windows\System32\alg.exe

MD5 ae06cd9235d22eb5f92b9b2ec4784f07
SHA1 5eecbfa238440f13ebee4591cb80dec721b1e2a2
SHA256 bacb06aa11b3a2ea078e459a6257f1e4796a4fcba38fb8d1a174f8e34c50b2cd
SHA512 de1018cdc8bfa4f556a4e93ca605ea32dfc3c2ff885515aa1e16b3de3cf07bafda78a4892480cccdd3172435ad65be7a497242103d1b8661c0c905277645297b

memory/3068-13-0x0000000100000000-0x0000000100198000-memory.dmp

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

MD5 a54be06525b5f9dbc5be76c370547d1d
SHA1 3e67cedd185e449b68d9fe335c0d40d3f3a58e0b
SHA256 58c365f19490841953d554aee86a709a0150674fa83821a2c55289cb0b229ace
SHA512 9cea54eca984841fdcfbc8ef1be1f197744510f86f67b230cf3daf31a8cb126f4803022b325b82e665f1662c408208b0c8b3af82f3d41c9b9960bbab87e8353a

memory/1956-18-0x0000000000400000-0x0000000000588000-memory.dmp

memory/2096-20-0x0000000140000000-0x0000000140191000-memory.dmp

memory/3068-21-0x0000000100000000-0x0000000100198000-memory.dmp

memory/2096-22-0x0000000140000000-0x0000000140191000-memory.dmp