Malware Analysis Report

2024-11-13 14:03

Sample ID 240604-aazvyadh9x
Target 14984d77bbd4224fc2b857744ec6d2a0_NeikiAnalytics.exe
SHA256 8fbcdac508759261a04f51d4fd9822309934f05c190112663a445a7ef0ca92a3
Tags
spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

8fbcdac508759261a04f51d4fd9822309934f05c190112663a445a7ef0ca92a3

Threat Level: Shows suspicious behavior

The file 14984d77bbd4224fc2b857744ec6d2a0_NeikiAnalytics.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

spyware stealer

Executes dropped EXE

Reads user/profile data of web browsers

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Checks SCSI registry key(s)

Suspicious behavior: LoadsDriver

Suspicious use of WriteProcessMemory

Uses Volume Shadow Copy service COM API

Modifies data under HKEY_USERS

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-04 00:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-04 00:01

Reported

2024-06-04 00:03

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\14984d77bbd4224fc2b857744ec6d2a0_NeikiAnalytics.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\msiexec.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\SgrmBroker.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\wbengine.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\System32\alg.exe C:\Users\Admin\AppData\Local\Temp\14984d77bbd4224fc2b857744ec6d2a0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\System32\vds.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\locator.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\AgentService.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\System32\snmptrap.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\vssvc.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\SearchIndexer.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\2718636bb4b1389a.bin C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\System32\msdtc.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\System32\SensorDataService.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\SysWow64\perfhost.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\spectrum.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\TieringEngineService.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\dotnet\dotnet.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\DtcInstall.log C:\Windows\System32\msdtc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\TieringEngineService.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\TieringEngineService.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" C:\Windows\system32\fxssvc.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f2faa78912b6da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia C:\Windows\system32\SearchFilterHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e2e6b38912b6da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fbb8288a12b6da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000032becb8912b6da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" C:\Windows\system32\fxssvc.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009cc08d8912b6da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d75e8b8912b6da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002881ef8912b6da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000e75608912b6da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ec7f0e8a12b6da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File" C:\Windows\system32\SearchProtocolHost.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\14984d77bbd4224fc2b857744ec6d2a0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\fxssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\TieringEngineService.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\TieringEngineService.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\AgentService.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: 33 N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\14984d77bbd4224fc2b857744ec6d2a0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\14984d77bbd4224fc2b857744ec6d2a0_NeikiAnalytics.exe"

C:\Windows\System32\alg.exe

C:\Windows\System32\alg.exe

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE

"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv

C:\Windows\system32\fxssvc.exe

C:\Windows\system32\fxssvc.exe

C:\Windows\System32\msdtc.exe

C:\Windows\System32\msdtc.exe

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\system32\locator.exe

C:\Windows\system32\locator.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\system32\spectrum.exe

C:\Windows\system32\spectrum.exe

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc

C:\Windows\system32\TieringEngineService.exe

C:\Windows\system32\TieringEngineService.exe

C:\Windows\system32\AgentService.exe

C:\Windows\system32\AgentService.exe

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\SearchIndexer.exe /Embedding

C:\Windows\system32\SearchProtocolHost.exe

"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"

C:\Windows\system32\SearchFilterHost.exe

"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 pywolwnvd.biz udp
US 54.244.188.177:80 pywolwnvd.biz tcp
US 8.8.8.8:53 ssbzmoy.biz udp
US 104.155.138.21:80 ssbzmoy.biz tcp
US 8.8.8.8:53 177.188.244.54.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 cvgrf.biz udp
US 54.244.188.177:80 cvgrf.biz tcp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 npukfztj.biz udp
US 44.221.84.105:80 npukfztj.biz tcp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 przvgke.biz udp
US 54.157.24.8:80 przvgke.biz tcp
US 8.8.8.8:53 21.138.155.104.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 54.157.24.8:80 przvgke.biz tcp
US 8.8.8.8:53 8.24.157.54.in-addr.arpa udp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
SG 18.141.10.107:80 knjghuig.biz tcp
US 8.8.8.8:53 uhxqin.biz udp
US 8.8.8.8:53 anpmnmxo.biz udp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 107.10.141.18.in-addr.arpa udp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 vjaxhpbji.biz udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
IE 52.111.236.23:443 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 xlfhhhm.biz udp
US 44.200.43.61:80 xlfhhhm.biz tcp
US 8.8.8.8:53 ifsaia.biz udp
SG 13.251.16.150:80 ifsaia.biz tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 61.43.200.44.in-addr.arpa udp
US 8.8.8.8:53 saytjshyf.biz udp
US 3.237.86.197:80 saytjshyf.biz tcp
US 8.8.8.8:53 vcddkls.biz udp
SG 18.141.10.107:80 vcddkls.biz tcp
US 8.8.8.8:53 150.16.251.13.in-addr.arpa udp
US 8.8.8.8:53 197.86.237.3.in-addr.arpa udp
US 8.8.8.8:53 fwiwk.biz udp
US 34.193.97.35:80 fwiwk.biz tcp
US 34.193.97.35:80 fwiwk.biz tcp
US 8.8.8.8:53 35.97.193.34.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 tbjrpv.biz udp
IE 34.246.200.160:80 tbjrpv.biz tcp
US 8.8.8.8:53 deoci.biz udp
US 54.80.154.23:80 deoci.biz tcp
US 8.8.8.8:53 160.200.246.34.in-addr.arpa udp
US 8.8.8.8:53 gytujflc.biz udp
US 208.100.26.245:80 gytujflc.biz tcp
US 8.8.8.8:53 qaynky.biz udp
SG 13.251.16.150:80 qaynky.biz tcp
US 8.8.8.8:53 bumxkqgxu.biz udp
US 44.221.84.105:80 bumxkqgxu.biz tcp
US 8.8.8.8:53 dwrqljrr.biz udp
US 54.244.188.177:80 dwrqljrr.biz tcp
US 8.8.8.8:53 23.154.80.54.in-addr.arpa udp
US 8.8.8.8:53 245.26.100.208.in-addr.arpa udp
US 8.8.8.8:53 nqwjmb.biz udp
US 35.164.78.200:80 nqwjmb.biz tcp
US 8.8.8.8:53 ytctnunms.biz udp
US 3.94.10.34:80 ytctnunms.biz tcp
US 8.8.8.8:53 myups.biz udp
US 165.160.13.20:80 myups.biz tcp
US 8.8.8.8:53 oshhkdluh.biz udp
US 54.244.188.177:80 oshhkdluh.biz tcp
US 8.8.8.8:53 200.78.164.35.in-addr.arpa udp
US 8.8.8.8:53 34.10.94.3.in-addr.arpa udp
US 8.8.8.8:53 yunalwv.biz udp
US 8.8.8.8:53 jpskm.biz udp
US 34.211.97.45:80 jpskm.biz tcp
US 8.8.8.8:53 lrxdmhrr.biz udp
US 8.8.8.8:53 20.13.160.165.in-addr.arpa udp
US 54.244.188.177:80 lrxdmhrr.biz tcp
US 8.8.8.8:53 wllvnzb.biz udp
SG 18.141.10.107:80 wllvnzb.biz tcp
US 8.8.8.8:53 45.97.211.34.in-addr.arpa udp
US 8.8.8.8:53 gnqgo.biz udp
US 54.80.154.23:80 gnqgo.biz tcp
US 8.8.8.8:53 jhvzpcfg.biz udp
US 3.237.86.197:80 jhvzpcfg.biz tcp
US 8.8.8.8:53 acwjcqqv.biz udp
SG 18.141.10.107:80 acwjcqqv.biz tcp
US 8.8.8.8:53 lejtdj.biz udp
US 8.8.8.8:53 vyome.biz udp
US 44.213.104.86:80 vyome.biz tcp
US 8.8.8.8:53 yauexmxk.biz udp
US 54.80.154.23:80 yauexmxk.biz tcp
US 8.8.8.8:53 iuzpxe.biz udp
SG 13.251.16.150:80 iuzpxe.biz tcp
US 8.8.8.8:53 sxmiywsfv.biz udp
SG 13.251.16.150:80 sxmiywsfv.biz tcp
US 8.8.8.8:53 86.104.213.44.in-addr.arpa udp
US 8.8.8.8:53 vrrazpdh.biz udp
US 34.211.97.45:80 vrrazpdh.biz tcp
US 8.8.8.8:53 ftxlah.biz udp
US 34.218.204.173:80 ftxlah.biz tcp
US 8.8.8.8:53 typgfhb.biz udp
SG 13.251.16.150:80 typgfhb.biz tcp
US 8.8.8.8:53 esuzf.biz udp
US 34.211.97.45:80 esuzf.biz tcp
US 8.8.8.8:53 173.204.218.34.in-addr.arpa udp
US 8.8.8.8:53 gvijgjwkh.biz udp
US 3.94.10.34:80 gvijgjwkh.biz tcp
US 8.8.8.8:53 qpnczch.biz udp
US 44.213.104.86:80 qpnczch.biz tcp
US 8.8.8.8:53 brsua.biz udp
IE 3.254.94.185:80 brsua.biz tcp
US 8.8.8.8:53 dlynankz.biz udp
DE 85.214.228.140:80 dlynankz.biz tcp
US 8.8.8.8:53 oflybfv.biz udp
US 44.200.43.61:80 oflybfv.biz tcp
US 8.8.8.8:53 yhqqc.biz udp
US 8.8.8.8:53 mnjmhp.biz udp
US 44.200.43.61:80 mnjmhp.biz tcp
US 8.8.8.8:53 opowhhece.biz udp
US 18.208.156.248:80 opowhhece.biz tcp
US 8.8.8.8:53 zjbpaao.biz udp
US 8.8.8.8:53 jdhhbs.biz udp
SG 13.251.16.150:80 jdhhbs.biz tcp
US 8.8.8.8:53 185.94.254.3.in-addr.arpa udp
US 8.8.8.8:53 248.156.208.18.in-addr.arpa udp
US 8.8.8.8:53 140.228.214.85.in-addr.arpa udp
US 8.8.8.8:53 mgmsclkyu.biz udp
IE 34.246.200.160:80 mgmsclkyu.biz tcp
US 8.8.8.8:53 warkcdu.biz udp
SG 18.141.10.107:80 warkcdu.biz tcp
US 8.8.8.8:53 gcedd.biz udp
SG 13.251.16.150:80 gcedd.biz tcp
US 8.8.8.8:53 jwkoeoqns.biz udp
US 18.208.156.248:80 jwkoeoqns.biz tcp
US 8.8.8.8:53 xccjj.biz udp
US 44.213.104.86:80 xccjj.biz tcp
US 8.8.8.8:53 hehckyov.biz udp
US 44.221.84.105:80 hehckyov.biz tcp
US 8.8.8.8:53 rynmcq.biz udp
US 54.244.188.177:80 rynmcq.biz tcp
US 8.8.8.8:53 uaafd.biz udp
IE 3.254.94.185:80 uaafd.biz tcp
US 8.8.8.8:53 eufxebus.biz udp
SG 18.141.10.107:80 eufxebus.biz tcp
US 8.8.8.8:53 pwlqfu.biz udp
IE 34.246.200.160:80 pwlqfu.biz tcp
US 8.8.8.8:53 rrqafepng.biz udp
US 44.200.43.61:80 rrqafepng.biz tcp
US 8.8.8.8:53 ctdtgwag.biz udp
US 3.94.10.34:80 ctdtgwag.biz tcp
US 8.8.8.8:53 tnevuluw.biz udp
US 35.164.78.200:80 tnevuluw.biz tcp
US 8.8.8.8:53 whjovd.biz udp
SG 18.141.10.107:80 whjovd.biz tcp
US 8.8.8.8:53 gjogvvpsf.biz udp
US 8.8.8.8:53 reczwga.biz udp
US 3.237.86.197:80 reczwga.biz tcp

Files

memory/2992-0-0x0000000000400000-0x00000000005A8000-memory.dmp

memory/2992-1-0x0000000002300000-0x0000000002367000-memory.dmp

memory/2992-8-0x0000000002300000-0x0000000002367000-memory.dmp

memory/2992-6-0x0000000002300000-0x0000000002367000-memory.dmp

memory/2992-13-0x0000000000400000-0x00000000005A8000-memory.dmp

C:\Windows\System32\alg.exe

MD5 a82f589234235ba13014686b890babe8
SHA1 dc83c86079332c95aeae66c888ae24f49ed5a041
SHA256 078b224688b5e9edc59199e80bfb42ae97957ae6b02ead417307f682c27413d6
SHA512 14aca63a6eee3f47909c553fbe7a8e5b790ab3bfd3d5ffee5e9ab26155270ba6a86c701a0ff334b92d51f83eb07f62d362ec97ec896f6a3b369366ef0554cc57

memory/1008-15-0x0000000000500000-0x0000000000560000-memory.dmp

memory/1008-24-0x0000000000500000-0x0000000000560000-memory.dmp

memory/1008-23-0x0000000140000000-0x000000014018A000-memory.dmp

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

MD5 c3d0efc5aaae638330881064596e7a1d
SHA1 e2138807b6041998d27d8040b1d4454bc7865689
SHA256 4e34a3b20cd62913500699e68565c8d8ba114174aefbc5552b5eef7891de9674
SHA512 43cc2d82115985a4605323f62d73561b104ea91c4265554c22e7b199b8bac7b06f8fbe5007ff09f6e5e9d1597ce235e72d4c9b740836a302cb7715fbf8401016

memory/4700-36-0x0000000140000000-0x000000014024B000-memory.dmp

memory/4700-28-0x0000000000D90000-0x0000000000DF0000-memory.dmp

memory/4700-37-0x0000000000D90000-0x0000000000DF0000-memory.dmp

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

MD5 a4b7e35a7e22d47a97512d91c95644e1
SHA1 d495a437b58e8b41477c374598a79d2f98b13fa3
SHA256 c88a440ce9077ace7994139c640560a7cab4a9843482661169e9f0a2f2c0f6f1
SHA512 fc402d48fa9ea0480d50cfe7ac306cf896e8a6931ca202770f6720ad95363e0d58a25b022f65af3e086b8343e6d1ec0da1582f26392c89fe5604ec6651846ebf

memory/4724-40-0x00000000001A0000-0x0000000000200000-memory.dmp

memory/4724-49-0x00000000001A0000-0x0000000000200000-memory.dmp

memory/4724-48-0x0000000140000000-0x000000014022B000-memory.dmp

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

MD5 933ae0af08fbc38a0ab8755ba8b1cd6b
SHA1 dbbe66d9a5482dd88856bb12d9160aa87a1ed6d3
SHA256 8fffea722aa70118f9f4247e500764c363145252ff51b1da2ea50ed5f4c73518
SHA512 bf8595b4b1e7323ae7c7c1a3cf1b15eddd748b55b0a6d7166eba22b6212b2513ab50af35133c3ea4e6234d0b6151a3966895d1665435dd6b83be6dabe57d82a3

C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

MD5 bd42fe6295fbf16a1c5f9f0e2a6f63e3
SHA1 a5796cc10a898dc519f1b026af8c945034aba7d0
SHA256 9f711f9565cc8071b29f8db69fb8ab65257155e1f910c40ebdad6b345f022220
SHA512 fa933c59dc6eb75ab9ae958363d2142a51d0744679b7916e93d3b7cbf5b7094bcbce2c70a1babe2690b8f8b6607a3af04c25a92cd4887e199af78dc69d972a25

memory/2084-72-0x0000000000CD0000-0x0000000000D30000-memory.dmp

memory/5092-74-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/2084-75-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/5092-70-0x00000000004F0000-0x0000000000550000-memory.dmp

memory/5092-64-0x00000000004F0000-0x0000000000550000-memory.dmp

memory/2084-59-0x0000000000CD0000-0x0000000000D30000-memory.dmp

memory/2084-53-0x0000000000CD0000-0x0000000000D30000-memory.dmp

memory/2084-52-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/1008-234-0x0000000140000000-0x000000014018A000-memory.dmp

memory/4700-235-0x0000000140000000-0x000000014024B000-memory.dmp

memory/4724-238-0x0000000140000000-0x000000014022B000-memory.dmp

C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

MD5 bedc51a0fa3bf137e7e553dadec9962f
SHA1 dc86df3e84bf76e1fc9ad21fcb8a81087b589825
SHA256 61e0b3c53aa8c74d1dd5a2e789c67f0f719f8fd39bf1e530ea3fea47b7c32e2b
SHA512 b723dd8616cd58eae560b5c0131418bf7d7fd0b1bf15f190b2a9d62dab612da20b43232cbb0a0502b58010f41d03fe19771ade7a19bc0398093cb25115cece53

memory/3676-249-0x0000000000690000-0x00000000006F0000-memory.dmp

memory/3676-251-0x0000000140000000-0x0000000140189000-memory.dmp

memory/3676-243-0x0000000000690000-0x00000000006F0000-memory.dmp

C:\Windows\System32\FXSSVC.exe

MD5 0953ca1d1ff79b5ba24c9a496c5b1c64
SHA1 3e6de6492b189bbd25f9e4f4400faa048f82fcdc
SHA256 d99cf0a77976233c4e647732ad3a6770cf83107b3ac94970629ba70e3a82f4b8
SHA512 0000fe15b20a990c20b949b8c58bef87cf063e46c60c91bf69eeb2b857797a30874090b939d96445238bb36a682b960591173d40e804fb26ca73531ced77f35b

memory/3180-254-0x0000000140000000-0x0000000140135000-memory.dmp

memory/3180-255-0x0000000000E80000-0x0000000000EE0000-memory.dmp

memory/3180-267-0x0000000140000000-0x0000000140135000-memory.dmp

C:\Windows\System32\msdtc.exe

MD5 e4f253759f69083d11743e1b0118736a
SHA1 02962eb0ce9d2817ea9f67f33d709e97c4ae2ec6
SHA256 f21e57ae041312906a818d5e4e2f7c836cb079a241974bda8f19cef908abc86c
SHA512 d402cb4de577e153699b6f136a016f47a67eec9bf7b52961a69bdb1c38f9a311021e8cc4d04d58efc5edc66126aeffd943fc797d050992480889ab2047b0ec7c

memory/1416-269-0x0000000140000000-0x0000000140199000-memory.dmp

C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

MD5 956ab1f1ac1f1cbc4bf380faf5fd7247
SHA1 d520b7bcdd41ccfd06959f5192262bad6ae96375
SHA256 4115f37db6a7545216fc29bea5e1ddffeb7997ad246bc099db335d9d1763ab5a
SHA512 6783a3fab12d583123946d880f914efbfe9c3743eaac66325f247a025a376251fb811b1882206d51bdba095b968e21752481de09f3bc07fb944dd3599bdbf455

memory/4532-284-0x0000000140000000-0x000000014018B000-memory.dmp

C:\Windows\SysWOW64\perfhost.exe

MD5 51a3dc0ee6cff885ed5997fce31d89a6
SHA1 9c29088078102fab68ca14d8a8d9c7b11d89c1ea
SHA256 470a2f3bcbbe0c8c29a83e8b30911014d09a4c920d8e13f592f73c90544be48c
SHA512 8ded6525654aa1ee319f2afde893bf9ed738f6b0048d9457646ce0fd221f09297edc29a5d3a08b4a9ccabad8c247b60984d23212be8593414c08d9c0d726531e

memory/60-300-0x0000000000400000-0x0000000000577000-memory.dmp

C:\Windows\System32\Locator.exe

MD5 07be40446a6c760eabcc959862c6616f
SHA1 cf268d0fca4ce03f88639e90796a9306615bd973
SHA256 f23a490a565aa0c59c6c639b6b284ae3799fa011b06d3cd28747d0137a63e413
SHA512 30443a064968c6c6507b6554e714ba631f6d57cd1ec0e21083ca5ba21dcf1b8559f063fd35e80072bb69188b5af558c44de852f0a9b8ee39dbb374578afe45df

memory/3164-311-0x0000000140000000-0x0000000140175000-memory.dmp

C:\Windows\System32\SensorDataService.exe

MD5 ae95013b531677e553110e6ef2a805ce
SHA1 b1b8a9de96d8a7966b71efeda2ac89ffba9b9e3d
SHA256 82b0ccf545dcb1aeade96b8e62084295d5f8723a8d14c6f1434ab4a10d96d5bd
SHA512 89b82ce420680df29f62afa6ee4da1684b4ba8828de6660f4c5a9fd28ebea2d0736201bb264898d8f9b51eaa20c9d89d7c039491d2a0a89ce5d2cfdaecac6a91

memory/3892-316-0x0000000140000000-0x00000001401D7000-memory.dmp

C:\Windows\System32\snmptrap.exe

MD5 448ab64becf066cd37c24e908cd89a11
SHA1 35710dc8349286cef7341b25d7510554d55d83ac
SHA256 97d8ae6227f10695784ecdfa0145e195adb79fe0134e0aa5bb8f38aacee20337
SHA512 311508b19dcdea562c0077332163e81f5998f21370dbd2bc17b8f04616a9cfb7e9ab24fee77b517e5fa1d45eabb147db7d2d4f83284a11ba8f4a7462a5d16387

memory/4960-336-0x0000000140000000-0x0000000140176000-memory.dmp

C:\Windows\System32\Spectrum.exe

MD5 eb79d318c071c030e71d891ec5f54963
SHA1 4c23c7d387799a381c52fb5e23c033e87fd38f35
SHA256 9c01e955044db206f27437bfce2caa92f7039882049af551ceff9c1f08dca2e2
SHA512 4c58ca4d873c0675efb62e72bb60926043a9e5d8d3e40e756417aed409c1ce8937aca319f54ca9a081fe609060150c1bf78595b70bdd0959e3b5272b261d922d

memory/928-339-0x0000000140000000-0x0000000140169000-memory.dmp

C:\Windows\System32\OpenSSH\ssh-agent.exe

MD5 9af9e12a75a26d8c07795119579a0a41
SHA1 fd053eafc6401a999f90b2fd53c092c98d9f2d41
SHA256 292d4ed5ea90085906de69e339de9e4fe1e8904b96f06ec8280a22370c5333b8
SHA512 8f22bd4f1169b0dd2548337515cb5cebd9ba94e0f2f0d98df26ab121e07abe8314b1e64cd6f2f0b9e1f89fbc96c875f827f27f7607cd764e262f3404b29eb5c9

memory/3356-359-0x0000000140000000-0x00000001401E2000-memory.dmp

C:\Windows\System32\TieringEngineService.exe

MD5 eaaf1cc3838003fe64392aeb76ea7f11
SHA1 6b63902f683db239e647fc4d190c06fd2307e611
SHA256 3c2cd19ff0bc0c08a081cd2fe328056aba4a3eb9556ce654bc16d6b2c10a02ab
SHA512 eb6b0e9524199c1d4f1da35c89f46920f70124017dddb0c813d3912701a29d8802020d494e16cdda73e84ff6c03e78f7db79e23bf2b56a7299822c512ad7e7e5

memory/4072-362-0x0000000140000000-0x00000001401C2000-memory.dmp

C:\Windows\System32\AgentService.exe

MD5 6b74380935482089c36a949d50c8a68a
SHA1 3e20d44f4595e0dc13dcc7d3ce7b04780330ca61
SHA256 bb07e604e260a23bbfe5bd0969a8ec6fb1e270c372856615779dcd7773ac6499
SHA512 2ee244f9019ad512849acd62c310d5da8852cb897b0cb985ca03cceb8c7d052de87865a778890c25a45d4ad0d4217468ceaf7fed23c59988fda4262467883e01

memory/1108-381-0x0000000140000000-0x00000001401C0000-memory.dmp

C:\Windows\System32\vds.exe

MD5 e849c9bde7179f90466ffaab08112ee3
SHA1 ccbada775d813305ca3a7d955954125eb1cd8af5
SHA256 c09e9e525873c39e2dc0089fdf547dc243f264e2a0acba8413e92c5eaa8ffb93
SHA512 9ba5f0c44ab99d2a9efe0512b52449abcb9dde447604cd631c8643605399ff0ae960635006c09fdbb10cef3ee4cf1fcf6dd7ae8f87f96551c1dbe6f639edcccb

memory/3472-393-0x0000000140000000-0x0000000140147000-memory.dmp

memory/1108-396-0x0000000140000000-0x00000001401C0000-memory.dmp

memory/1416-385-0x0000000140000000-0x0000000140199000-memory.dmp

C:\Windows\System32\VSSVC.exe

MD5 bf54ccc19f298fd20d269e2af642f1d9
SHA1 ce00f1d691d6e82ba343aaeeb407754d2cbdf6a6
SHA256 8c2f7e83033062e353d041ed9b8782b14d472a0e3a6ce8b467097389f4dafec9
SHA512 da012be4a4f0c8c12651b1d9e159da5d985717f4048453303c7bf2607c84e255a3cd8afbadbf3c856d61925ee0ad0e599242157d22a8778572d9478d7a81b3b0

memory/2492-400-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/4532-399-0x0000000140000000-0x000000014018B000-memory.dmp

C:\Windows\System32\wbengine.exe

MD5 df57bd913782d505f71719ff1889fd65
SHA1 8016040ad113139212ee178345737df4d9c68d99
SHA256 574fbf75026db2791effcd311d2f3ac09fcc39560fdbb6ecb4645cefe6a445d6
SHA512 1d1329cc4d66af1ea8765228e71b39900d5d5fdefff5ef28f9a72b35aa4fcd67c3f99085be27782280cbf581856346c111e4176a58ec2893f388094add986c28

memory/60-411-0x0000000000400000-0x0000000000577000-memory.dmp

memory/4720-412-0x0000000140000000-0x0000000140216000-memory.dmp

C:\Windows\System32\wbem\WmiApSrv.exe

MD5 22d81fc588d7ee73dc914af9da474ba7
SHA1 c8aea739e989cf842df1c0f0f4840123127ba386
SHA256 4f6cfa463d13a93ea0077d30d5a66436b136c4bed842b2be8f8b2acff4ad6aed
SHA512 2acfb0a9fa85313bcde74fff4b62b89e6ed3ae5764b29b48ba84ced0a9b70aa354dea7649262d5829b574340235c530f6e73e630e829ed535af17771ace4d49b

memory/3164-423-0x0000000140000000-0x0000000140175000-memory.dmp

memory/4576-430-0x0000000140000000-0x00000001401A6000-memory.dmp

C:\Windows\System32\SearchIndexer.exe

MD5 c44a13c9258193eda1bce7629453e28b
SHA1 55415487f9bc36bd8f7afdee7b772a386beec423
SHA256 c30cfc0fbf3b478a65035efacfabd0d19bd068ea8cab10b2b3383ad6c5ce78ba
SHA512 800058f103d33cdb96be0a3db7d2c2f8fab1a617ad20af6102a9565df0e6fda692a47b24e3cd0df282c0c0a17facd9f644624c060554eb3f26f6bd1d65603cd4

memory/1808-445-0x0000000140000000-0x0000000140179000-memory.dmp

memory/3892-444-0x0000000140000000-0x00000001401D7000-memory.dmp

C:\Program Files\7-Zip\7z.exe

MD5 f5bec5891453aa12b650c77c033f8424
SHA1 8b223deee53d8c624157f02b5b55770155a47f87
SHA256 3138d90d14e687d9535cff196acae52146f9ea2985c263cdf17c7792d229b8c2
SHA512 19ef86ffb762e2e40481c75e38f7678653fdfe6c19407fcb02f43c7e38b056976487123234b7cf3f8155601cdd5de7eafc7ee6a86f94705fd0b224431cd06d06

C:\Program Files\7-Zip\7zG.exe

MD5 f9e782992050f35a0b24bb287c7b66f9
SHA1 ae4a7373f56aec0eaa587206c78b55f972f9d77a
SHA256 ef803760cc75d5a7c186295bd2e8fa8137e75df7c6e3b1be81e444a8f227ae36
SHA512 bedf1fc8ba90512473e7c5f362ca815399dfbeb271c57d8510ae2f679070526d5dffa535ed5eddc5142b8a08cf31e8cc032755dec056682b66bc65022954458b

C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

MD5 0a5bb9895c77c7f7ecde9f2f3a113e8c
SHA1 e82977f3745e89eae55b89dae5a386f693035c18
SHA256 eaa62fc2ea8af1011ecd85cf27afd3702a9a92665303848290d54cb1dfb29986
SHA512 a89f9bf458d2247034cb6a01d610db45b199f79f4d8ec7a1a0e8b09b4972268fff614fdc95f30802e5b3a3b4d9bfc522c9517e070dbace9ea61c9449649e4eb5

C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

MD5 6d0f8812c211beb32b52ead105bfaa76
SHA1 56b66602fba8afd57fdb111eaab4edf0fbcd5bb0
SHA256 c1baeeaf0dee1f77f05c0939de8073227d63f360da8c9a53a631b57beac6706e
SHA512 a889bd4c9f1a8266737ae6575d36b6631039edd8918fc34d3799c38fd192868da065eec9e101ddfa6fdaeb7acad4aed3e200a015d4965b886c0d4f7d10d082f4

C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

MD5 465ecd886839465291813c094a735a70
SHA1 1c5b946a17fb044fcaf77e881f33571ae568e353
SHA256 f882d603506231651d9fd7dbee4c250799eaeb5e7a19736465798d23b2347ba2
SHA512 7f021dc4d04aa26255e95c1a429f10794313fdc011c6b3806c0cf1d4b48fa00546264e8cdfec6e95d7cd1aa80b79e2c6c17a205e0b5aba5dd9f982cf0c7281f4

C:\Program Files\Java\jdk-1.8\bin\jhat.exe

MD5 f593d395ba6fa915bb31ade8d6dbedcb
SHA1 7933d0a193d5b94dfa72e39ee72520c6503b7f1a
SHA256 f98db531ee3d3646726eb26b34b8238abc8bfc591c677036de6074b2b4fc3944
SHA512 0eb14e1d71195f57ad6b1c1f11fa91896a74edc30ea0a941e034e5dd4229395a3fac6a78299c5ecc0129ad98937e0cb496b3b3bfb04e86cc2687687c5819a370

C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

MD5 37366fc5fce74e4ab6314aa3ce710e0b
SHA1 9da08f4cef7b0255e32bd70de866701d46afcb9e
SHA256 e6486cd6e71a2280841213383c20c0d9158e8a111a1d5264a1595ed383474395
SHA512 192a1492412c3575e8c664632135ffca62307491da4b825e3fc14373373bef2675323b6491d138fd11ffb7cf11d6082fe2bc797e9c1616e64a6291b546b284ed

C:\Program Files\Java\jdk-1.8\bin\jdb.exe

MD5 2330eb6aa3b154b6c0ef955e12108b1e
SHA1 920ca224f6e093666e714174dbc8304530fb3d03
SHA256 0926e52dc25f59407be7939dd0145d1c1b20530d19d5fe434712ea11a6d10a46
SHA512 67b68858e5ecbc919ccdc3cc8bf51d90b8bafde6ffe741cf9a7c96a08899dfa83dafd9b9361371700b821d2df390bdb5accb300f508ea751e09561e7c1d0c4ad

C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

MD5 70334ac2a594109b6cb3b5e60ca6e6b8
SHA1 ede8dde70f1e1242dd31d59b4c3b9c32512451d5
SHA256 94caa6f9b76893637b1e5f9a723787df7a06da0dee4e1a2102b0103cf4ed978d
SHA512 490215bce83b996819aa07c2fca5708f29f8fb49d668851c5d46fa13ef984e0aa014627de94d99294da685c6baf805f4fac3abfdd51d524812e95a0c0978c471

C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

MD5 82215812561e739d7184e77178bddbff
SHA1 77d330b0c7de53f234d070de85a9eb83ed44c2d5
SHA256 45b49fc9f5a47f4ea0c732122e74aeb7f4395c186b091c282330af3afbf769bb
SHA512 968a872015bb5b5196d34b96bee7104d6af242a747223c03fbcc0c2231510730a533e77f38011e75d5b8d00c84760529eabc966fb3d429bca4994a2ef7f974d7

C:\Program Files\Java\jdk-1.8\bin\javaws.exe

MD5 74c84f99889d3b1434642798bab3c6e0
SHA1 8b7ad99f593fffd50e6a0cf121f60bd540df5a1e
SHA256 40b55075af89defe384f1a9bcd68df0ee2c64a3a61db68bad91eb4e6839f9000
SHA512 768453281f857aed6fe6b651b8e1463286efb8365332173a9ad37de829a7ea7e7c0f24085300e24c01f55a45aa5f155057c90f8c5ee8927d9039e288e3fae3a3

C:\Program Files\Java\jdk-1.8\bin\javaw.exe

MD5 909e867f99a1ce098f5e965158ae1774
SHA1 e7d963be314cb37f0cf4aa6bd854e4a0e595b10c
SHA256 4cddc8fa3f48529a3daab6454c89cb9c0377e0e894f39e733984f3067064b546
SHA512 383e9567c79a6538287677f68975b09e0835e112ae8d1e6a6094b50ee9256fb8d7abf91fbf6734a729f612589375c88a523205664b42ddf6b17fe8b82cf8cfb9

C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

MD5 d7e61019d0d729fb80d9231924248505
SHA1 579786371da3be98f894c8315e80a7d64f0d7ecd
SHA256 a6d6907899cbbb035f4eb7343f6a5c52698ae6c4d06c740e32e9db8ea969fa68
SHA512 9e3313047779bc7b22af5911f85497637e63ef38afe85c9fa12e03944c6fc419cab27b9a98f3fd61528ce504e05ccce6dd2074f07cd677bda74032f955ab5c77

C:\Program Files\Java\jdk-1.8\bin\javap.exe

MD5 dc7beec19554303766fa06f2585a7644
SHA1 5b4fb6259a2fb433421583902973d237cbb41790
SHA256 8da4f001333038e0b2fe1f330cae8eae12d590d7d959421947edd559bf84f886
SHA512 0d14a014845a55c4b2ba74591a5b9e1ac32b427031c0e01d1eebc8bcb1b8fa0ac45864444dfd7f5d390cdb46d6704a63677e7747be643c7bb7bebb4895c0fa58

C:\Program Files\Java\jdk-1.8\bin\javah.exe

MD5 e8ca60d4fab622aede1ec898f48e3ecd
SHA1 c07d3d4e62f6062f0addb5b713e8239f17a8aae3
SHA256 b81ea72a5b2f8bf074a676b0214b1082fdb7466beddd01dd2a8a5f65d6e8acb7
SHA512 45c1857c6afc13853330d524f6ddfbf0533cb66d164e62c71947291cbbd5014186895967342e0b797fc9627c51a78eacd9e2e7f68c0ff281c0e0380ec1f81937

C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

MD5 045e981f496892736141fa63f721ee89
SHA1 beb9d92ee77d75ea30d1c4d30d072675a132136d
SHA256 6f9aa0df49ed404dc4e3b5d179d996085b9ff41d44aa8ab2bc493a87aa79ce66
SHA512 d0ccbf3c4758c7459ac8f545ad98c0f57bbdb63422232ba20953c1d601004d67a6d55a2c95f46b3351247a2fa634b3d087d93a139555020ef3ac4a5a729749bd

C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

MD5 7bfbc443a68495458e14c91e2a124936
SHA1 e214e0574e8c96c720c39587883d7a0399adb8d2
SHA256 c076b450d1c41815ab7a17cdcd805128416e96b42c5cb336d4b9ca1e0cedbe33
SHA512 e3964798146820dee1e5a797b0311b2e8b4ee97c9fc1932ae962bf333184175fa19da809851a3a8efe1df9d01cfc9157002aadeebb550d5d957f4329dcb3cb2b

C:\Program Files\Java\jdk-1.8\bin\javac.exe

MD5 54ed3e7287bbb9d866ec296c3e0d9058
SHA1 a467d6dd3e0c44369fe43a8113d48f01890f3c13
SHA256 1f2d5fec97637b940ccc6d25c9d2576d266b57551f377fe767e870b1b6a64f39
SHA512 f810098d110d914f8e2555b6ec8566196d494c8783895ea26cdc356c01e8c9f8ef97029f75a368190bbaf99f2944d40183cc44cbe3dcaff1a5c61233ad3bb108

C:\Program Files\Java\jdk-1.8\bin\java.exe

MD5 e7d6a450ac9d7f5791b9d12d933f3972
SHA1 e9e9f6dc639f08e44cd7fc6e3eb2debf62e06d6a
SHA256 269d385e1683538d1d58defa0be1c45f0383855fdb98a1215783bb8b0ab23794
SHA512 b264e83c523baba4612e52ea76fd1d2dc1bb3e7904841059cb9b4e0967dbaba46db8a999649e220ac7576eab66c488e020d67331cf73bece8cd77c0b6b6b09a4

C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

MD5 83e6c6363cc2b197012b9a6bdee8004c
SHA1 c3b6d7d23993deb9502803aca143602f736637ec
SHA256 172bcee86a0dbf2adedfd6a1d2faeab939bc1048c9126c9740bf1ff2633a4c3d
SHA512 c87d7268904509ab125e929a719610ec9a87d03aef860f6a2d8bc6ec0bb9341c4b8b5ae7379c4422366cc7d21c75ea81b1c356253037c7e31debeb67650b5c82

C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

MD5 a276a7cb5c61d41ca5c2b21a648b0ba0
SHA1 7a61da437d6b2be5ce98279f91817f84abe59a24
SHA256 516f33860f0778fdcc9de52722b108eb297919ae4ef49f84e4618ea60a40822b
SHA512 9cd4bd6ed920a7d131cc9a60f26e9c7758b25250333f0d2e3408b3264e185cead24cd15de3f9321a7fca4986f617846e92f504aabf84860625ad51f762f4a0a1

C:\Program Files\Java\jdk-1.8\bin\jar.exe

MD5 036e6bdec7f81319f2bd78f3b4e6f32b
SHA1 fec36900f4116685cf2b2c9cb4a68d504e795837
SHA256 ca31716e974d727741e23a8129d13fe64ed451f7187973310bb625356f95c164
SHA512 21ea8986144a52ea4392439786f433e5875db9e31ca928ba6bfe5c9877bbdbfc259e47214796392e78ed8f5484c6561aeabb4e71c10c0f3d47f5e3397718b751

C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

MD5 436b94294f0dbf43f56548c287786ba7
SHA1 a2aac05a404419f6a612f20b5cf8dfa7764dc283
SHA256 b4995f92c38212198a46f63efcc166c97b811c549650715e5aa01651225ff889
SHA512 b3dca247a1abac7eee0297aab0ba25024014c667faddaf5d7171b1b53175f4c8a77ab8a054c5a7152a060117cf00feb0cd67ac138ec642f41885c24ff1e05e21

C:\Program Files\Java\jdk-1.8\bin\idlj.exe

MD5 8ff27eceb9839a36e5720115abc2c9a5
SHA1 27aa683cde2932921fb45e19363c95251c2dd76b
SHA256 1ee0daf70111dc4514bf709a9df8ceec224a40213667372c99f0ef190c435665
SHA512 54093100e95caa0e9b9d0f2d80f30ff7225fb81f7b651c15c1e452c9632e6da22435cffe0b52847ca8fc049644c804d6fee6b7d2eea8e375632c9edb7b68a0ab

C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

MD5 e820cd0beab5fbaa481effa8ae7c4f7b
SHA1 91f42a30e297f0dc6e0ac8a7cfcec5fbc2d76a92
SHA256 d672b3719e8d989d6474a063f8e69d198d62f65fc0065ceda47b76c629140359
SHA512 b1017df88a97dfa02e977c09a7c4ab2007b9159ff61854feb4d1f3d645a83ecb2eda0df45f8f89d9cc86d9d3bcf12d6fecb63a2cdc9521a152664f9f92143a1a

C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

MD5 476aff86b7657e70791344241d091ef9
SHA1 76d2e2fd45f96fbdc55f9cabcef6803331149b2f
SHA256 4fb3a138dc59fcc60cf3b22c6b8a8bb2a73fad048116a5c6fab894ab28e694ce
SHA512 e016ac66dfec4bf93655b1e627a3e9d93b8ac750c5c663dca5b38692649a4608348c9010a141f5bbef258fb9b97260b8ce0865240542919b277bfaf33cafac44

C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

MD5 b0b2b5131c138d341953ad27c6480598
SHA1 39e6981291b47e06dea92a3374356988316ffedd
SHA256 008510edc5d02422cda62b6eb78e37ec8fa74a78c3524111de6d990a23e113af
SHA512 6cbe843fecedf96b02e9a36082fb58964f4e1787ff10023881722bf1d1a4188aa6017f375e7332bbf913514b2b3d64b3661e8ed57b4256d81b422572ffb9f2e8

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

MD5 6119d758b8d5903f6eb4ff068a76a4a0
SHA1 47d44a544b96ad9fa5450b9391d6a94313ed99ef
SHA256 39e3f4c145b08514e576d1b80f342e47fd235dc1ad699921fae2204ee27d939d
SHA512 84748b455c461edb631ca64539df33560b76d867ff4a72c25bb043eb7b7e4680d2de0fed0e71a8f0a0bd5b0685d0366858eeae95a07747695a7c011c8a1e678d

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

MD5 5d162b0332eeb1a0de6bb1f709b6f488
SHA1 5fdc5293e203b953434f11f197e47ad703ad8f00
SHA256 58053354a7c18a4c6a749ae8fb233f0936e531be436525bb0de0c10970a026f4
SHA512 16324093fa7fb47cc447023f6702e45a1cfb19a7074b3f5660dd296818c7c95ea109e451dd6d6165c3463e621b130e33fccb7961223d2ff3b8c77a9cde57a072

C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

MD5 1661cfd96ef4a6cba5c3bcdd44d5a61b
SHA1 9cae673846eafcaae73df864a37e2d3f16fd7f8d
SHA256 26cfbac3aac7f2b75545bd1ba9d3e0a362305e5ae8b632606922edd7532813af
SHA512 49a5575dec9653668928ad1d840f016109e44b003ac932cc234a221aced311cf0cd563797200ee4015f012a96fc6c8c4c377ecbe670456dea7dc2fe2f7ac3332

C:\Program Files\dotnet\dotnet.exe

MD5 8b1b7affdd1f181f33d608828b27ee72
SHA1 7084abda86f9137b1ac687480b58cef641b77360
SHA256 3b6c48bbb4e032dc7299bda493662dc72ef9dbad0aa326566209588859240f5a
SHA512 1d0012cf937a3c5d55387aed55e4f20331a1aa456ba31ddc1526d086383df01c46a55c3a52c7b7f2a81dc8b55bc05d25f15c0712dd67a5cf892d57a038fe5d9a

C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

MD5 4503d74c1136cb83f426eba3be59c012
SHA1 b2fc9613386cf88f3a2aaca64022e0686a13ba78
SHA256 f982e0597f7f23e2a72a2c0c046ba483e4e2a96dec63bfc3355c2a6e61585d99
SHA512 ebc2354a7b6e8c5aefaddeb1fa7b4b6596a7cf21b2643b1e89337253f72000f615ad52649615151c2fe29b2207544fea82c76bd726f81ba1262257017e550f45

C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

MD5 f15d2c0168a1e8f9239144e7b2044306
SHA1 010596a0eaa1ce25cba36eea233db964fd621b60
SHA256 54229cf6baab88f5f20cedd9384285715b058b3933beecc762b8bf066f468b6c
SHA512 e747a6d1abece45eb7e093ec91d9440daec4ab1b9b1f909f8edba728543b1d5205ef49d3430c38e983dac65183d9ab3b611381213b889d00658cfbce82d9a234

C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

MD5 1aa90ad9fac216301b0852ca540040ba
SHA1 adca3d190463d4726a24b77ef9809e47a1033fde
SHA256 907e84f9b197aaa5faede686a9884205fb61bd67c4aa34a7edffe04e223add21
SHA512 54211a26ab90309a41dd33f41a65acdccb60624954c27745878af858d4dd2fae2f1c9cccd33f4f414b43d22e0584314283fa2bee87c4e145ccc64f3b120128d6

C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

MD5 c528c32f743f8ad16368ac40c754c606
SHA1 bdbd67098924073ea6f6816c7fa6e2225b5921e4
SHA256 7556f0372bee3424eb93790c33524ed3f3b7f9776ae1af5d24dc7386ce400716
SHA512 7b51b4a551e6aae50e446f513c780631581397039eadd5af0873a655871e19e3a7077fcf5fc6d0a2aabdc116fea6d122bf4d0fcb0dd7bcba862b3e5cf0f18604

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

MD5 fda2065b4246bb3113d7ff93bbaa0af4
SHA1 e0757a1984f975e6a9eed17b68d6ebfca124ef48
SHA256 6543e1f542d949593591d6c3829db86d49305d6cb0d07c3616d74cf00a875f6d
SHA512 0ee4a1000b0cf712c3067f7197b9280db71ab02a955c50fb86d59aebf9b769dc0f2c566d4f35926a1171c3eb603402d80f3278f8192d897f3ef881c533ea070c

C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

MD5 dbf24929e88c570144b3cf701b601e25
SHA1 476c8cb01caaa737abefd6c3ec87531204f1a2ed
SHA256 45099daad0822eb875ceddb8f091fa0984d7cda3286dd1f5bdf2ce71790d1bc3
SHA512 168e2e35caa0e8eb9a7d426cdcb9e44a572319b5dfcfda51a763c5a16e63c3d3d79decb43d25f4244a8939003725df38a14cb0595a083dd051eb665a0d961124

C:\Program Files\7-Zip\Uninstall.exe

MD5 fedc81a249597993a47fb202171c45ae
SHA1 f25946cf7280a9987f448785f7acc13760606ed0
SHA256 1f1fc696646f2803ea16c0768db95e9f3e9b03785b289989b5677c94ce6af112
SHA512 36688316d9fac6b2c43cc08dbfa66c057ec896fcc562a6e7f40999a9459607a4c2d5e63bd7b90a6ccd5d3b6ac004ed20ff6196c5c1fb0c563cc171ec8f96327a

C:\Program Files\7-Zip\7zFM.exe

MD5 bf02a873dc072ed63e3685833087d2f3
SHA1 867b236f97a79ec354a695d0ddedf70eb1d9f02c
SHA256 0b3b679a909b24c471057f13b6ab0b3c7a1a4651119cb9f801634f6008a5248f
SHA512 ac978ab9c33fe7fa0307e6d912197db64e3d98d1b5b62b8e4a6fda7a6a1919912005fd1251b8fa503080fd56c413fc14722a91d09b31d310df6b5d8db1a0d871

memory/3892-523-0x0000000140000000-0x00000001401D7000-memory.dmp

memory/4960-524-0x0000000140000000-0x0000000140176000-memory.dmp

memory/928-605-0x0000000140000000-0x0000000140169000-memory.dmp

memory/3356-606-0x0000000140000000-0x00000001401E2000-memory.dmp

memory/4072-609-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/3472-612-0x0000000140000000-0x0000000140147000-memory.dmp

memory/2492-613-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/4720-614-0x0000000140000000-0x0000000140216000-memory.dmp

memory/4576-615-0x0000000140000000-0x00000001401A6000-memory.dmp

memory/1808-617-0x0000000140000000-0x0000000140179000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-04 00:01

Reported

2024-06-04 00:03

Platform

win7-20240221-en

Max time kernel

118s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\14984d77bbd4224fc2b857744ec6d2a0_NeikiAnalytics.exe"

Signatures

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\alg.exe C:\Users\Admin\AppData\Local\Temp\14984d77bbd4224fc2b857744ec6d2a0_NeikiAnalytics.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\14984d77bbd4224fc2b857744ec6d2a0_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\14984d77bbd4224fc2b857744ec6d2a0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\14984d77bbd4224fc2b857744ec6d2a0_NeikiAnalytics.exe"

Network

N/A

Files

memory/2008-0-0x0000000000400000-0x00000000005A8000-memory.dmp

memory/2008-2-0x00000000005B0000-0x0000000000617000-memory.dmp

memory/2008-7-0x00000000005B0000-0x0000000000617000-memory.dmp

memory/2008-12-0x0000000000400000-0x00000000005A8000-memory.dmp