Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
15/05/2024, 10:59
Static task
static1
Behavioral task
behavioral1
Sample
cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe
-
Size
3.1MB
-
MD5
cc598c4ffb86fe6515b9d1aa25a70440
-
SHA1
b0062c0f12a50fb027e24ec56bfdc8aed718335d
-
SHA256
17c0da57aab4e73976614df015860d5540f514b6e5dd6bf3004ea2fbdd3aea6f
-
SHA512
eee3d108e3f2a848ff57c5f5e767670a337f1149cee6294b225cc84fca2834b0f4ede09be40e4ea09960d54cbaaa29d7c45a7418e816e05e3072bb0114f24030
-
SSDEEP
49152:NFoHgEIXrjXfE44zAKveF+7YdOcYTBZEjUqxZgJGLfgqjJUDYWbX9/i3da1YS6oN:gHgNDfXQ1veFPk5FaoCRrgGUDx9/iyB
Malware Config
Signatures
-
Executes dropped EXE 24 IoCs
pid Process 4240 alg.exe 4732 DiagnosticsHub.StandardCollector.Service.exe 4664 fxssvc.exe 2624 elevation_service.exe 2724 elevation_service.exe 1540 maintenanceservice.exe 1212 msdtc.exe 2744 OSE.EXE 3936 PerceptionSimulationService.exe 3148 perfhost.exe 3848 locator.exe 4108 SensorDataService.exe 4036 snmptrap.exe 4588 spectrum.exe 1732 ssh-agent.exe 1804 TieringEngineService.exe 4728 AgentService.exe 2728 vds.exe 1256 vssvc.exe 1716 wbengine.exe 4552 WmiApSrv.exe 2524 SearchIndexer.exe 1400 VCREDI~1.EXE 4616 msiexec.exe -
Loads dropped DLL 1 IoCs
pid Process 3756 MsiExec.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" VCREDI~1.EXE -
Blocklisted process makes network request 1 IoCs
flow pid Process 34 1540 msiexec.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe -
Drops file in System32 directory 36 IoCs
description ioc Process File opened for modification C:\Windows\system32\AgentService.exe cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\AgentService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\a611c3a3c3136770.bin alg.exe File opened for modification C:\Windows\system32\dllhost.exe cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe File opened for modification C:\Windows\system32\msiexec.exe cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe File opened for modification C:\Windows\System32\snmptrap.exe cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe File opened for modification C:\Windows\system32\spectrum.exe cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe File opened for modification C:\Windows\System32\vds.exe cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe File opened for modification C:\Windows\system32\wbengine.exe cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe File opened for modification C:\Windows\system32\SearchIndexer.exe cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe File opened for modification C:\Windows\System32\alg.exe cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AppVClient.exe cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe File opened for modification C:\Windows\System32\SensorDataService.exe cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\SysWow64\perfhost.exe cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe File opened for modification C:\Windows\system32\locator.exe cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\SensorDataService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\msdtc.exe cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe File opened for modification C:\Windows\system32\vssvc.exe cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe File opened for modification C:\Windows\system32\TieringEngineService.exe cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe File opened for modification C:\Windows\system32\SgrmBroker.exe cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe alg.exe File opened for modification C:\Program Files\7-Zip\7z.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe alg.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe alg.exe -
Drops file in Windows directory 61 IoCs
description ioc Process File created C:\Windows\WinSxS\InstallTemp\20240515105942338.0\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0ee63867.manifest msiexec.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe File created C:\Windows\WinSxS\InstallTemp\20240515105942072.0\mfcm80.dll msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240515105942197.0\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_3415f6d0.manifest msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240515105942447.0\8.0.50727.42.cat msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240515105942447.1\8.0.50727.42.cat msiexec.exe File opened for modification C:\Windows\Installer\MSIA316.tmp msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240515105941932.0\ATL80.dll msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240515105942197.0\mfc80DEU.dll msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240515105941979.0\msvcp80.dll msiexec.exe File opened for modification C:\Windows\WinSxS\InstallTemp\20240515105942463.0 msiexec.exe File opened for modification C:\Windows\WinSxS\InstallTemp\20240515105942447.0 msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240515105941979.0\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd.manifest msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240515105942338.0\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0ee63867.cat msiexec.exe File opened for modification C:\Windows\WinSxS\InstallTemp\20240515105942401.0 msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240515105942197.0\mfc80KOR.dll msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240515105942447.1\8.0.50727.42.policy msiexec.exe File created C:\Windows\Installer\e57a151.msi msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240515105942197.0\mfc80ESP.dll msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240515105942197.0\mfc80JPN.dll msiexec.exe File opened for modification C:\Windows\Installer\MSIAC2F.tmp msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240515105942401.0\8.0.50727.42.cat msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240515105941979.0\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd.cat msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240515105942072.0\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_dec6ddd2.manifest msiexec.exe File created C:\Windows\Installer\e57a155.msi msiexec.exe File opened for modification C:\Windows\WinSxS\InstallTemp\20240515105942369.0 msiexec.exe File opened for modification C:\Windows\WinSxS\InstallTemp\20240515105942072.0 msiexec.exe File opened for modification C:\Windows\WinSxS\InstallTemp\20240515105942338.0 msiexec.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe File created C:\Windows\WinSxS\InstallTemp\20240515105942197.0\mfc80CHT.dll msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240515105942338.0\vcomp.dll msiexec.exe File opened for modification C:\Windows\WinSxS\InstallTemp\20240515105941932.0 msiexec.exe File opened for modification C:\Windows\Installer\e57a151.msi msiexec.exe File created C:\Windows\Installer\SourceHash{A49F249F-0C91-497F-86DF-B2585E8E76B7} msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240515105942369.0\8.0.50727.42.cat msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240515105942197.0\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_3415f6d0.cat msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240515105942197.0\mfc80CHS.dll msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240515105942197.0\mfc80ITA.dll msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240515105942401.0\8.0.50727.42.policy msiexec.exe File opened for modification C:\Windows\WinSxS\InstallTemp\20240515105941979.0 msiexec.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File created C:\Windows\WinSxS\InstallTemp\20240515105942072.0\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_dec6ddd2.cat msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240515105942072.0\mfc80.dll msiexec.exe File opened for modification C:\Windows\WinSxS\InstallTemp\20240515105942447.1 msiexec.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe DiagnosticsHub.StandardCollector.Service.exe File created C:\Windows\WinSxS\InstallTemp\20240515105941979.0\msvcm80.dll msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240515105942197.0\mfc80ENU.dll msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240515105942197.0\mfc80FRA.dll msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240515105942463.0\8.0.50727.42.cat msiexec.exe File opened for modification C:\Windows\WinSxS\InstallTemp\20240515105942197.0 msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240515105941932.0\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_6e805841.manifest msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240515105941979.0\msvcr80.dll msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240515105942369.0\8.0.50727.42.policy msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240515105942447.0\8.0.50727.42.policy msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240515105942463.0\8.0.50727.42.policy msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240515105941932.0\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_6e805841.cat msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240515105942072.0\mfc80u.dll msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240515105942072.0\mfcm80u.dll msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fdb42af6b6a6da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000427a1ef1b6a6da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001cbce9f3b6a6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000898fb8f2b6a6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005007dcf5b6a6da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006925abf1b6a6da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchFilterHost.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E msiexec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b msiexec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000055cd94f2b6a6da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000043d526f5b6a6da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe -
Modifies registry class 56 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\AA5D9C68C00F12943B2F6CA09FE28244 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.OpenMP,type="win32",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 2b0078003f0076005d003500320070005d003f004400700030005300440043006c0021007b006300560043005f005200650064006900730074003e0035006f00300068002c0070004d0076004e003d00650038004d006b0062004900640046007700550000000000 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\DeploymentFlags = "3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\AuthorizedLUAApp = "0" msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.MFC,type="win32-policy",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 2b0078003f0076005d003500320070005d003f004400700030005300440043006c0021007b006300560043005f005200650064006900730074003e003d0024006b00600049004e005d00490038004300650038004d006b0062004900640046007700550000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media\6 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]" msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media\DiskPrompt = "[1]" msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F942F94A19C0F79468FD2B85E5E8677B msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media\3 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media\8 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media\5 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media\11 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Win32Assemblies\Global msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\AdvertiseFlags = "388" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.MFC,type="win32",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 2b0078003f0076005d003500320070005d003f004400700030005300440043006c0021007b006300560043005f005200650064006900730074003e0021004d00210026005a005a006300300025006e00650038004d006b0062004900640046007700550000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media\9 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\Clients = 3a0000000000 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Features\F942F94A19C0F79468FD2B85E5E8677B msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.ATL,type="win32",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 2b0078003f0076005d003500320070005d003f004400700030005300440043006c0021007b006300560043005f005200650064006900730074003e00700052005e007000580049006000510075006f00650038004d006b0062004900640046007700550000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\AA5D9C68C00F12943B2F6CA09FE28244\F942F94A19C0F79468FD2B85E5E8677B msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\PackageName = "vcredist.msi" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media\4 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\InstanceType = "0" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.MFCLOC,type="win32",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 2b0078003f0076005d003500320070005d003f004400700030005300440043006c0021007b006300560043005f005200650064006900730074003e006900450024005b004d00310025002e0064002700650038004d006b0062004900640046007700550000000000 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\Version = "134268455" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media\10 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F942F94A19C0F79468FD2B85E5E8677B\Servicing_Key msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\Assignment = "1" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media\1 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F942F94A19C0F79468FD2B85E5E8677B msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\PackageCode = "FA1F9ADB128EB664EAA9BA3CE244C0B1" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Net msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.CRT,type="win32",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 2b0078003f0076005d003500320070005d003f004400700030005300440043006c0021007b006300560043005f005200650064006900730074003e005f006a0030002c0059005d007300210053006f00650038004d006b0062004900640046007700550000000000 msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.OpenMP,type="win32-policy",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 2b0078003f0076005d003500320070005d003f004400700030005300440043006c0021007b006300560043005f005200650064006900730074003e00370030002d0054002400210028002a0026004e00650038004d006b0062004900640046007700550000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F942F94A19C0F79468FD2B85E5E8677B\VC_Redist msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media\7 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]" msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.CRT,type="win32-policy",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 2b0078003f0076005d003500320070005d003f004400700030005300440043006c0021007b006300560043005f005200650064006900730074003e0061005a004f002c0048002a004b00320060004500650038004d006b0062004900640046007700550000000000 msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.MFCLOC,type="win32-policy",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 2b0078003f0076005d003500320070005d003f004400700030005300440043006c0021007b006300560043005f005200650064006900730074003e006600720038005f006c0028006d0032004e004400650038004d006b0062004900640046007700550000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\ProductName = "Microsoft Visual C++ 2005 Redistributable" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\Language = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media\2 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]" msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\AA5D9C68C00F12943B2F6CA09FE28244 msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.ATL,type="win32-policy",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 2b0078003f0076005d003500320070005d003f004400700030005300440043006c0021007b006300560043005f005200650064006900730074003e0036006b007d00700048004c004800240053004400650038004d006b0062004900640046007700550000000000 msiexec.exe -
Suspicious behavior: EnumeratesProcesses 44 IoCs
pid Process 4916 cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe 4916 cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe 4916 cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe 4916 cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe 4916 cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe 4916 cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe 4916 cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe 4916 cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe 4916 cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe 4916 cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe 4916 cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe 4916 cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe 4916 cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe 4916 cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe 4916 cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe 4916 cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe 4916 cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe 4916 cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe 4916 cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe 4916 cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe 4916 cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe 4916 cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe 4916 cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe 4916 cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe 4916 cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe 4916 cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe 4916 cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe 4916 cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe 4916 cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe 4916 cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe 4916 cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe 4916 cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe 4916 cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe 4916 cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe 4916 cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe 4616 msiexec.exe 4616 msiexec.exe 4732 DiagnosticsHub.StandardCollector.Service.exe 4732 DiagnosticsHub.StandardCollector.Service.exe 4732 DiagnosticsHub.StandardCollector.Service.exe 4732 DiagnosticsHub.StandardCollector.Service.exe 4732 DiagnosticsHub.StandardCollector.Service.exe 4732 DiagnosticsHub.StandardCollector.Service.exe 4732 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 656 Process not Found 656 Process not Found -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 4916 cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe Token: SeAuditPrivilege 4664 fxssvc.exe Token: SeRestorePrivilege 1804 TieringEngineService.exe Token: SeManageVolumePrivilege 1804 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 4728 AgentService.exe Token: SeBackupPrivilege 1256 vssvc.exe Token: SeRestorePrivilege 1256 vssvc.exe Token: SeAuditPrivilege 1256 vssvc.exe Token: SeBackupPrivilege 1716 wbengine.exe Token: SeRestorePrivilege 1716 wbengine.exe Token: SeSecurityPrivilege 1716 wbengine.exe Token: 33 2524 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 2524 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2524 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2524 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2524 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2524 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2524 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2524 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2524 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2524 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2524 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2524 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2524 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2524 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2524 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2524 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2524 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2524 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2524 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2524 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2524 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2524 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2524 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2524 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2524 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2524 SearchIndexer.exe Token: SeShutdownPrivilege 1540 msiexec.exe Token: SeIncreaseQuotaPrivilege 1540 msiexec.exe Token: SeSecurityPrivilege 4616 msiexec.exe Token: SeCreateTokenPrivilege 1540 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1540 msiexec.exe Token: SeLockMemoryPrivilege 1540 msiexec.exe Token: SeIncreaseQuotaPrivilege 1540 msiexec.exe Token: SeMachineAccountPrivilege 1540 msiexec.exe Token: SeTcbPrivilege 1540 msiexec.exe Token: SeSecurityPrivilege 1540 msiexec.exe Token: SeTakeOwnershipPrivilege 1540 msiexec.exe Token: SeLoadDriverPrivilege 1540 msiexec.exe Token: SeSystemProfilePrivilege 1540 msiexec.exe Token: SeSystemtimePrivilege 1540 msiexec.exe Token: SeProfSingleProcessPrivilege 1540 msiexec.exe Token: SeIncBasePriorityPrivilege 1540 msiexec.exe Token: SeCreatePagefilePrivilege 1540 msiexec.exe Token: SeCreatePermanentPrivilege 1540 msiexec.exe Token: SeBackupPrivilege 1540 msiexec.exe Token: SeRestorePrivilege 1540 msiexec.exe Token: SeShutdownPrivilege 1540 msiexec.exe Token: SeDebugPrivilege 1540 msiexec.exe Token: SeAuditPrivilege 1540 msiexec.exe Token: SeSystemEnvironmentPrivilege 1540 msiexec.exe Token: SeChangeNotifyPrivilege 1540 msiexec.exe Token: SeRemoteShutdownPrivilege 1540 msiexec.exe Token: SeUndockPrivilege 1540 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1540 msiexec.exe 1540 msiexec.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2524 wrote to memory of 2160 2524 SearchIndexer.exe 110 PID 2524 wrote to memory of 2160 2524 SearchIndexer.exe 110 PID 2524 wrote to memory of 4920 2524 SearchIndexer.exe 111 PID 2524 wrote to memory of 4920 2524 SearchIndexer.exe 111 PID 4916 wrote to memory of 1400 4916 cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe 112 PID 4916 wrote to memory of 1400 4916 cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe 112 PID 4916 wrote to memory of 1400 4916 cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe 112 PID 1400 wrote to memory of 1540 1400 VCREDI~1.EXE 113 PID 1400 wrote to memory of 1540 1400 VCREDI~1.EXE 113 PID 1400 wrote to memory of 1540 1400 VCREDI~1.EXE 113 PID 4616 wrote to memory of 1196 4616 msiexec.exe 118 PID 4616 wrote to memory of 1196 4616 msiexec.exe 118 PID 4616 wrote to memory of 3756 4616 msiexec.exe 120 PID 4616 wrote to memory of 3756 4616 msiexec.exe 120 PID 4616 wrote to memory of 3756 4616 msiexec.exe 120 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\cc598c4ffb86fe6515b9d1aa25a70440_NeikiAnalytics.exe"1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4916 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VCREDI~1.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VCREDI~1.EXE2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1400 -
C:\Windows\SysWOW64\msiexec.exemsiexec /i vcredist.msi3⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1540
-
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:4240
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:4732
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:3464
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4664
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2624
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2724
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:1540
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1212
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:2744
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:3936
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:3148
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:3848
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4108
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:4036
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4588
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:1732
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:3308
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1804
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4728
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:2728
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1256
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1716
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:4552
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:2160
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:4920
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4616 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:1196
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 72E8F407AAC1E860615BF540BAEE75382⤵
- Loads dropped DLL
PID:3756
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5f5429cc219aafc3ed14e801e7c68617d
SHA12283711aaf0aa1084dc388171d5663485fd1ff78
SHA256488d9e5ca1c18d0c0eb6672eda0b7d5142c7bf1784301148294066ba4b357f88
SHA512d82197278591e2446f9a2b4c70bafe4f0999f3ea9625df168307152b5272a389e0ab792f33baabf92b1ac501cda95ec6d913d31e3a30a516c53430c4e0f5f7c8
-
Filesize
797KB
MD54ea89b057e8f3aa23dbe81d615127bb3
SHA13923d7dc1aa124fa9ddaa99917953f69a06505be
SHA2563c57582e9e9632e21016f30eb405aad6e43a5ea5d0721e9fc35ac3e26bba9208
SHA5127165a91c0be0cf28755bf9bc4f0e903b25b79468dd25acef058190f507afc109bbe23be147f09a9ce6444cb973057f604faaa9235ccd26ed0c1ad25e15b41543
-
Filesize
1.1MB
MD58d6fa31dc237162b1b1cd208cfe146a3
SHA1b25962a1503c1d6e75f7abd24279be92d6956319
SHA25680faca091fb63a9fde3a0075b58f86c53df47bfff04f058d1b253a8dc60e853d
SHA5125b53fe84eb49ba566cf7f0310976080aec3dddaafe7db8f045aeb9af8adfd2cbc78c877c43c92d77b33b52975e843a1d2b3ff39f2a014bb52911b14d74efcb4b
-
Filesize
1.5MB
MD5b110c21a607704d859afa3699d156581
SHA13dc5922273b403a97b26f24d5123eb62bf64aa4f
SHA2562677ec30fd4680c81442762759fcc31f47dc6a43f3978a86bcc47049b215f216
SHA5126c2f3c0aacc0856d7ed8e7e1648059c880bce1151e99cdc8dedcf621ab6c4823d121401a1925c25bcd1b73a643ef89e8ec9a6ae5f1a64da5fd30adafb32118fa
-
Filesize
1.2MB
MD5a8c3a707dd16ca1c723ae4ab89f8d43f
SHA186c2e8cde6ffae60a89a15cd84e726e2434011f6
SHA256ec65e180c60df06f6a85a481cc7c01f6e81717599adc695315676940564cba75
SHA5120cb37198ec643243e6893c50329a8fa0350fb4f1aa8c672a0ebe02b4bd5a6ed1d712f6d3010ec08769be50dea615495fa8ef947229847facd3910b1a932cf8c8
-
Filesize
582KB
MD53971b7044ab2b132e691e9dc23f6bced
SHA1396f1e0255d2110008e1b32418d6776817f7a769
SHA256046fdadf2217ddbfdf298acc5ecf1d5d8aa83d29c48d27aff2a46989151afea4
SHA512cb55f85408ce362ff4ae65105686ac60d609932d6d58c8c8bdf390c9e027662b889aea40d977c5158016d8861eb6dfde066aa57a736d3b6e6f0fdd054573cd97
-
Filesize
840KB
MD515f4b73e7e93ead3cee3f46c0e91d2b9
SHA1df29db409dcb33674c6f8d6155f4461788446fb7
SHA256eb4495eb75453fec18f2ca67eb7b6e0f87f014fe50c777aacc3d6e41720ae300
SHA5121628592b0b18bb6988c6b655062bdfdd679cdf889b16eb474f0318dfd0ccbf9057c5bfcdf51fb8dc6da55b40a2cdc3d03d8d46cc3405598118c4b1d5e213bf0e
-
Filesize
4.6MB
MD5ca107ab8c27472ec1bcd473c61c2b47e
SHA1f8b22d842dd46167cd4f98c35e7716311e7c2e48
SHA2565e20981a604993e6473d80d6c882f0b7587c0bba1d1e561d8c24b191a3f88825
SHA51260273d287f9df173e868b398552fcb1abc42e4f6450c4ab9658fa58309291d02dcf4bcce5e9d1cc02e5df7b89b3ae5504b0130e965484da1fd937b9354fda310
-
Filesize
910KB
MD580e0a2acf3d5ff68b238ddb510a6a2b4
SHA14fd05bac23ec0296e3dfa167d6c8edfab7fe9bf4
SHA256edd87e7edf995536b66af194922b1174823a0e0d273326d2b4c4163795c3970d
SHA512cc1a636db9d18e2e8da36c38821c0d403e899ef184babbb042faf2f30bad29a1323bd4176a153debe0e39d77056a3cfd6f222e10b21efa53aa2d05e848ffa0b3
-
Filesize
24.0MB
MD522c20e779a33309c26239327b11014f1
SHA1143d971a973ccf211a3683b982ffcaf81fcdd281
SHA25699220abe93ee80dd79c3692cf5b66e470f47220f62c682dc177da483fd4eb130
SHA512253cfb352170624b61cd9460daade0115f8a05dc353989bed546b40015ea0b66202c8b94f82da03682eed31bceaf50a0b702181d245353e8a3b1bd0acac3b7f6
-
Filesize
2.7MB
MD555c392c8a8216acbb86853b7a95b35d4
SHA198f60ff4adc7e663b254224181b9d1010fd309ac
SHA2566e747a83be2d71ded0f07dc343561a351d9967f36a3bafae7a02fb7dc0fea24c
SHA51207653f4bc921f02da2fc2ede21cd029412ae2bbfce3b86c2208233d94a54bf6adc5382696cd8136607e40d7ae33bf0f995696fe6c12dd6fb142ba723b120400d
-
Filesize
1.1MB
MD5e746e88c2b73e7bc75e90956fd36e742
SHA1d8f96687957bfa3f863931915b38821408297d7e
SHA2560e8e1b20c8a1b85e55b9814b7ab8bdce857b0608238d65326438bd0fcccd9613
SHA5123d3d52aaf76586045fa90b50f77156f2a9721b7d2c1f646d522b6c160a715a5f4b9bd7c95cbff674a4a0381068e0cb084597c8ebba647b9b6965948253385dc8
-
Filesize
805KB
MD5a766fc06cae56b7cf89e8865ce4b65e8
SHA176a84b575c1c5ad4687233faa6770edcda70c3c9
SHA256b376f21184c71d878c028a2cf61502f4d09821b35cbb538ac8ac8eea71bdea83
SHA51255d8cd30eb2de6a0aae9009812b6ff13ad5c8691634de0c88846f07ff383161e9238cf8d5e1a567668f6588460dc7f610d0b2e616253bb77a3a32218d721131e
-
Filesize
656KB
MD5ef3b3c8e4683fe9a5cba1130cc01e527
SHA1284bce2922cf48e1627807053dbac4d1b703e9e1
SHA256d74252eb79d39416a9d4f91acaef6eabf1a7277a87179f8a72d93f87c444c6f7
SHA5125440edd9630634d20b38fa52451455b3dd0477149c747d7320e602cdf1d7c7634b0ecbcd43c985582e3e635246d7fbef9776f4a6e8aebfb36043ae782f992513
-
Filesize
5.4MB
MD52c21a84d56099beee02e8218650dd553
SHA108c338dcc275963df312ed7bf93ddd3732596919
SHA256cb98d9e60b6459d5bae3dc9765dbf97aed05311f5b74f2aca2f6b83978fcc146
SHA512b15f5daef709182d994cdf56e8997ca9714203d9dae76e8ca0b07aeb46a779cfbeba1d2b6f963171695998c41af02981eac9e94355fc29015429ff4acaf93f4f
-
Filesize
5.4MB
MD5a8228ce9111c9db94c50ab03f580a5e3
SHA1796fda0522a8d91fd726e03729387718d075cbf9
SHA25666b7876245dde705107e5b4f02849176f3314791771c550b9b0c030b2022dbfa
SHA512486fddb854d171c8fc6f5098babf92fed380456a35e12ea03406f68179e8b347f27797dcfb064fc56a8bc20836f616369b2ad104ac8072c221a35012ce1ff87e
-
Filesize
2.0MB
MD52a877f689ac5935140bea0d8c2c730ce
SHA1b91ebbaa418987e28b7e115410ad2ce0f466b6e1
SHA256c064afd3174499b48ae044c6affb19bbbb82f17aee32658a8502db3c739d2605
SHA5129590b7fcbdafb4484a8faec529a7f4b2f11c5d50a5be289f6c1ccef7075b64d87a1a70220c995d25ae2967dcb58b728a6996a73d84fc29eb079530ace2c16d6f
-
Filesize
2.2MB
MD5091faf6df4f0492b3e619d3aa4094683
SHA15173dbcea941bc3b3d78ab9404a0f5632150d38a
SHA256d8db5c630a362e01e45ac435ca0a4213650c40c23c6072a03ee7a156319cd6b6
SHA512bb1e07c4ffc3afea7428a5da44450d5e68955ec91952b6640d9d6491ff6d8e02f45679a41c1f309cb232a42be3fe38c5a33c43d4f2a789e656700af1728222c1
-
Filesize
1.8MB
MD56dd702c2703eab39e1ccc34d643b780c
SHA170b1b80b227759d7fe249e40ab5645a03cf6cf69
SHA256ab21cd8916a777f21d9e8b3ae516eb325d32159a6568f857eed846cbf240239d
SHA512034e2eb8ffa1da00e00be3b894856fd19cdc6d9d132fd7492be0715d3cabe9c6e95e321c9a5f39f79b5aa3844b731357da0c7d29cb4b43685f1bf0706bec2bf7
-
Filesize
1.7MB
MD5e1a61adf8d9b191ad2c2b7fc0c83dba2
SHA1249af86528067811915dcb6f59a8c88fbbf6af73
SHA256538423911ce48fd1bb9c36f08321b1866060f6a2aa33c4208634ffd081503edd
SHA51227cab0470901ab9c950080e769bc28424ff051d7dfa8951c3d38b2a74098b2b0ed4b64421184a365ec65d7be693d88cf67ba02ba886d8ebf6346b591b8a9762d
-
Filesize
581KB
MD50aecbefbd28aac92943f9f0aa321ac44
SHA1c848b5188cf0127dc68e1430fc918ee37d239f95
SHA256ee873d4c7589389aeea3384cfc51369d2ee44d57be8f519d37b04db1951df100
SHA512009af8899b22679209fe422b8707541140a327ac803e3b93a8de4ce6d193714a85b15846b8e907fb0b924ed1dfb55c3b04d79c651b3af511427e71969d58e2d3
-
Filesize
581KB
MD5fb9aac63f7fdaeff0039a216de9877b0
SHA1ffc0b0fc5e3f2c66ea873a867d7947812b3df392
SHA256897e0b939362411bf3dd35e815d0087b94450bdf3d5f8934c28ecba7fc9490bb
SHA51243010465d52f5b23600965ab61212489c97b98727873605d8a44d225a3debb89614955469ecdde39879c8948096b9faeb5748ce835b216143a59af99395724f2
-
Filesize
581KB
MD597bec4d7729ef0301e3152ac84c40ed8
SHA1b97be25e094e16014d8f5325904d27d8a38e2381
SHA2569e977b8aad47e72eb14bedd3287641b69c67f132ac6d89c754dfd686a389b055
SHA5124d2a701ee05eac5ef01f17f5fe7893fddca27d9a7b43752276b7980fdb052998e0410b0531a244056efb5589ebfeb334a6069adb2be8b47deb135442c3c857c8
-
Filesize
601KB
MD59b0c389364faa54c05168075180c0c12
SHA154b3c5cfa3d4b1d3ea6a42dda75682b02ed19854
SHA256f6dc03c1dac1270c5feb79a5f6f4cca72aa7f4e4c955f2ac4dc1ba18962d1f41
SHA512969c03239b3bbabc620583679ebafda41aa444369eb64e7c6806a4ba9f540034f17e6ecb985ebe9442b44b2fdcc10e0c940ca9530bf3582089e124e34e3a945e
-
Filesize
581KB
MD58120117819cd527c01bdca499db603f9
SHA122a8ebeb8debde6df36e0daabd8408fc9e017f6c
SHA2568f3ef4b9d769a42a98002a1db63cb868a9c5741db66282146dee6d2fc47f5b6a
SHA5129fd0a487279b9d58c34bc467cca4f867fa19af230e96c1a3c732bf31b43d58933b4bc5ceb43ecd7c27a4d2820fb06e9ca4b4db5dbbd563a0237e73de7a8318d1
-
Filesize
581KB
MD5c27d5d8f1ab1f1dd8d626816279c5e4a
SHA1f03d7dcf3ed71fbbc852817bda35ce6abc48821f
SHA256bf508c435ba67378c1d949dc0b65bd90107c92c1fee661a7c3f44443931c99b2
SHA5125471b2985a645c2d80728393b588de5f410f4eef64ebb8e6606c1dd55f44c5629ad7e5282c07f31d50f250a7560ffe1b5e25b8b149f4a515915d83f4c79ceab0
-
Filesize
581KB
MD554d554295653b6fcc68243e508899dd2
SHA1bb47b9d9ac2a8a819f90b0e12f49dcafcbde754f
SHA25624810035c3c054cb561f4cbc8d42e4653343106a4830f7cdffef75515d9a3ff5
SHA512fb37684827cdcc9580d06f5587acc4733b7663ccf8f72ddb2ea66f9f495fced13b6adb0b32e2107c99d2566955c51aaa38e6406f1966a56d1e2986b192b1d3bb
-
Filesize
1.5MB
MD5cd76ae27194f2a43c0a5a8becfd3ac2c
SHA1b2152e4ff836666aabe3b0df07880e179893076e
SHA256cb7f94b09e421faceda8098791d17687f0bd56c586082ffe400cbef9603efbf7
SHA5128344dc826307e3f15e5ea8df33514d80ddc8963efc38dda57c523c0eadd9a6d43a5ee8e59dbf10c56d8606f3653331196ee90a0c80fa792908256da4a5ff80da
-
Filesize
701KB
MD560d547f956f95489b4485ddaf79ad641
SHA178430352effff5bef35dbb3eed8b336f4cc029bb
SHA25693ce4a1efa16494f72b5cade428128bd3bbe86b5dd60a1080d801eb47519c229
SHA512e60e547abab9d45626829725fb3060dce899940e0a48fedf2f15e5b55705c30a157fe83be2f73727ffb98009c984ae5fdf2e07178dafffbcd8056e43691c2445
-
Filesize
2.5MB
MD5f031c0d2b460209b47b91c46a3d202fe
SHA195040f80b0d203e1abaec4e06e0ec0e01c507d03
SHA256492826e1aacd984a00dd67a438386e4de883cc923cb1f25e265525a4cf70ed7b
SHA51218840649d19c5310d274bac69010514872a554bb5ecadb4af5fa3667ad1a6bf9d644b31393edbc1b60ace6eff907c79c078f8213948cf90fa4d1529c68ccc629
-
Filesize
245KB
MD500d3bf1c1e82eee48fdf3361dd860e19
SHA1b2f45cd2791ce178b45b06a95e7f58f298512d6d
SHA256f2ce7873a39f7f8a2a2cd888a6b2f0a25f62bb3c475ee73cfe54988982ef65de
SHA512cf5c06c4052b103d0a339d5535db2d8a9f069e928ee8c985f03e321b7e1977ff2f2200ad15671d6e93b9c706bea7586cd3df11fdbaaaf8c63a0ea4291431bca5
-
Filesize
2.4MB
MD5b31b234cb0f534069ba32aaaeacd7b2d
SHA1d6f90459f8bdbf7e75cc85affe9b137dc5e304e2
SHA256b5a652a1025f194f59e1349a1f26709d7ff7760067439b2d52d988a55d9340f0
SHA512138cb14f6018d3bddd78012c5b36a591fe70d1b2b7f9d3774230639302401be57e1a4d6098c66a83c47e67138ac6dbe79f64548e4c317bb804a4e9a3ffdf94ea
-
Filesize
24KB
MD57bfa56d222ecc4267e10c01462c6d0d9
SHA19b3236a45673ff3bb89df3e690784b673ae02038
SHA2566eeb255e1d5333a7b4f1b62e36afa1bea5cfd6c7e32058bb3a9efebc4d9f2ad6
SHA51210cec6bfd08a8b7cac1acbc3627cb014554ba71f44eb4bfe5b1471b81d6d292fd83a352d553af0de75fc1668a1f13d7f6f6c7bf1c6524117f363a3a7fc9b09e9
-
Filesize
588KB
MD56b44ce09fd7af1eeb2831de4b9d37d72
SHA1c49ea14f12fb43614ef9bebe53ef0efecc10d12f
SHA25611a9ce2dbed2b4ddeb74a4100f43971732d26247c7471556bb300bd7dfc80023
SHA512c6c93c5c2c144472f8c60467889b34422f4df7420c5dd77f7dd645648f096e0539aee5cf8dc0b356e86f59886460d83289ca42d575786e0983c576c1be3feb68
-
Filesize
1.7MB
MD5fb6d7a647a7e4b7cdc10a1d1a3552ca5
SHA12bf19d6bb5dcb78befcebd89dc0acb19030bdd2e
SHA25672ef6c7a915200a6101886f46b9ce25b1a634c955fdcf82f207ec2824d62d9d1
SHA5127811ed7543c8f7cccaa2f12b99d40ef8b7925ecd5411eb2cfea8b46813b0b6a66a98f517176e02e6a32c2bfc0d4dc2b7a7b411e9c1c75145f0baa3378eaf4db6
-
Filesize
659KB
MD5d4dcfefe8500b1ec846b9e8284400893
SHA17dba2c2b0bca6df464997a29c0eedb929737a1ec
SHA2561d2aec49708bd27d43184c77f6bcf2968d836b2e2705d05be1455cc812eff550
SHA512bef412173f6a5d5c9613d41d10f4dcf3f9904bbb7e712ff1a4f6c7d6088626ee619d015a65128ba74ee14626b6bda3781cef2a8e576c619630176b0595af4c29
-
Filesize
1.2MB
MD501511975ab24b1e9fd9074f4c8e9210e
SHA1c6b9bb4c019527e8bd2e9e19658d9941da8e9668
SHA256641048c125e8c68255ce0ee09cc382efa3f1be3a2043c4aa7f83ad1753b83c5e
SHA5125f1ce186998c6e450209ab18da571d7a390259ad41ceadef0d1b150b9113fccd4dbd45a7aef22feb0e260ae339213e4dfe261324035fbb90b72154260748999b
-
Filesize
578KB
MD57fe87c251bcc25dd07634c0a93e7551e
SHA13949a9660cfb9c5fd10847e536abd5e68ad2e2f3
SHA2565ef8fa36384c1fe0c70cca2944f32df6f5265ecf7df20a210f32d5268d80710a
SHA512e56ca617b8d1e878e22c59cee70ba07b0e15314ec98d56252efea13630868022c477fe36142f8fbf49af6f5129a1872c8b1647049d734ff74a33bee062659061
-
Filesize
940KB
MD593f3c23b7787d4d314a6950ca47532d0
SHA1abe60294a90129f3d28341bf3d2432faa767800f
SHA256a3b562e938fa43130f89d81cc58f05df8b9dfbe8337732ff857face8c3178ce4
SHA5128580cc51855d95567c64150b45f0b4e5371bb40cd242f26ac32fc4ea46adfc42af8ff1e5e4cb4f36c283cb3bea1d68039235c222b8c0cadd773df6c359c42d9f
-
Filesize
671KB
MD5252c169050cea336d9f210c13b8fd215
SHA12b08cdc18a863029c6b38ac20ada8587836d08f0
SHA256e05585b72536f64014fa70efe5ccf40cb67b469a44362765e0946c58a190ad23
SHA512db98264dc0ef71f574640da4e322a8f1f78e311936d3e39ff268ecae8135f6465ff0c6ffdac855ebae8ccd42df537462e9fcfcbf8eb9803f6731181b80eb794a
-
Filesize
1.4MB
MD57af7b65863244144a4e3508e721eb165
SHA13c33a4b5c4b3281abbb0aabaf632e38edb21cdc3
SHA2569078c722e5a3701eccf8d459a59112193e0745c2736b35622792b043c272cea8
SHA51226a16fc5eb8a7921210223a30e1d3acf2e7ec95ba412c6a7ce7c60693d7584e198c2f3d6783d6561aedd2f29b285f1ba0a88f9df79b940a3383b0024fead5910
-
Filesize
1.8MB
MD5c8c61fa108e30937dedf8848dcfe5b85
SHA10c14238ac9211402b35d4b9170b21aa8a7c9deab
SHA25615a973de4d9dda2a47fb991ccd338d7ae6714bbef2bb1fc631d9fdc6f35b43a3
SHA51200494d5aae82db0a1e7bb27136093289e7a9e7c0c299f07a5c8b56a8ad75b2d461b0f523f0340900aed9d94776f47e8ce38a89e5a3e551ecac77a8daf3efe38e
-
Filesize
1.4MB
MD521dfd656f9f8fc471780745beafa5ece
SHA16d14594fe164f41c2c87f1d643ee2e3c3ff27f0a
SHA256d84ccb3b3c66cd8bfa008cc3958c4b6e4a5208b6351d217505802d4618449d12
SHA5126df4a2aa2e562ad47972f0a37cb60d2f285f92e2a4983316a4ea86a4663415fef390ce71befba06d7b2fda9c33757bc7d130887cc30ce8eaed8f03e37e9281c1
-
Filesize
885KB
MD5b927fc467043dba62ee1a53958fa3bf8
SHA19b7465f3efc35db5769452dc514ea6bdaf9ae7d3
SHA2566afc42625d17ef79567665bd624d37b0b6c704b67fafe38ac76c7705126bbcc1
SHA512beb697c00179609679209b5668263927b1e5a232ece642f5eff08114bdb1d76040bf9a5735291b6f55503901f7ac7f351c921e00f879cdae290af278c0aa4a50
-
Filesize
2.0MB
MD5b553301afd64eb8109b6c66e0addf9b5
SHA1e404e8895e37799fb547dc7cad11a2702d559ef4
SHA25641f6582f98c9c35df51050127256f0df9a609fa4e02b22fc6560244b42c8b226
SHA51200de34dd4db06c9e4b69009226d634d7708aa8daeab3f77e373ec41319eab80666160b2366aa89cb8064029fbce177df475a53cad686e3affb8790a89da011be
-
Filesize
661KB
MD56c61c823c23887dccc0f10f59f710ca7
SHA18d9dc72790d30e503fe710d55e7ff36f592a0a91
SHA25690446264dcee7bd38a2255ee4883324de758d7f5022da4bda7577ab8f66d7c5d
SHA512a2eacecb33d33cfe1fc27adf94edff225bb7c26c2ab6794a65a88ffbb26d0778081227eb2c7eb56578b9388b3ef96529375f0bca765cf44ceba7a5d8985a47f1
-
Filesize
712KB
MD5b03b192f6c2b082955675645dbe78f60
SHA17102b3c72decf5b584d951f760629da5f23589dc
SHA256a95e498023e29e0e8def779f63bfbbef2dea55563dbb0dce2a324d7435111264
SHA512201f6053afe6765ba4dfa53349ec3d7a3c7ce445e6ff32b6502db6f183e1ff848481b77174184c8d870f049c146c827930ca2c0026cf10fd89f56604de8e4ef1
-
Filesize
635KB
MD5e2d2cd46525f8b43a593c161392d7d43
SHA1dacd079ae48b7c06c2bf5559b3d1e2f87c3492b1
SHA256c13e644573053ae9047f05772de8dad61fe59e2b5764e7c937902633ef9eb891
SHA512a23cef90e83004d88f3075ed7f7f538d69acdb4866ab3de14ce279790bd159124616f43d471c5eb9bb7c90dd8e585b14fa576570b8648043f7124365bfacd9aa
-
Filesize
584KB
MD5ffa373f9719322065e7f16b8cda6e5af
SHA14f595d3aae677fd706bbad26701ad774afa179f7
SHA2569d8d9c47d3c3b82da6f75721a6ff9fb11ee9aafea7e7e7b8dc4b7f7bd73bedd4
SHA5127cb591b677b8ba6443eddf421655228f604e7443fe163fbcb104de3753788fd1395283095d2eeb7b4a5ef544c9243dee2c2436fb4a7c47fb753f3d2eec3bbd9b
-
Filesize
1.3MB
MD59dca74865911ee88fbd0d95472fc3e47
SHA1ef658f68cb466c09e67096ed9c1496162721d59b
SHA25637d866f87c6328ad2a521a5f5a34d9379d89bc495b50c4b3cc681b04e6ce578e
SHA512ce5e9e76e836843150ac7660832cba510c35a6885ac7d65da8b06c51845825617d3251827d67e5bd5be6d0dc5e627b599718f73095e6084aca57030219640fa8
-
Filesize
772KB
MD594e40d76baff955ed684e2dd208b4303
SHA132bdedea2abcae69c3301078e603a6a242b0d394
SHA2566e486274294b9776823ac1d3068cfbbf9adcb69d04216772b16bab24b01df413
SHA512351534a61743cc6fdfdf3ee16ff30e054c8a803d939b417a1a041203f7eb31dfd4857b3fe47ba1010e2ad0a8f8ec352b30372af45c30f62798d4e32e7313deca
-
Filesize
2.1MB
MD56671e32540ea65ecf5c0d50891c2bfb1
SHA1ef212f2b92248b7403234835a67c6712c3a71558
SHA25640143a24ecb4a72f45278128383058a3758cc27a03428ae48a4e2eae6138306b
SHA51269799bdb9c5aa56f0deed370be29d4b4992972db76727234ff4159cdbad6099b9dbe69d3a3b9b8cb8dca4a4beac33b1f4ceb095a9e546e8f069084e022f7e4dc
-
Filesize
1.3MB
MD55cee57967f8d2d0bbe567582d6e10826
SHA11d47034d2058226154023c2fab2160ecd1b5b7e8
SHA2563aca866e65fcf9749e666f92da91baa1cc9138ee60c390bd4f9bbd72eadfcaf4
SHA5122bab4923b90f0b3a64b7a1fb7775ca6155905beda1d482b45c6d96ede3e072b6ab7d13ed79e1aa83de55c9ca0f544e3ec8b1dcbf67fc2ca0c5c92e74c6bf10df
-
Filesize
877KB
MD5848639556cf9c844f0e12222d200f34d
SHA114754f3bcf4ec4a7197e2b92a03224e1778a6131
SHA256e407b53c9b263f99d92a0ce8e9d12585fbe427867358d04490a8becd14420f7a
SHA512fd534441a8e0a3d4b2b851a6e38299b66ee8fb81d416dee7efcf0103d6caed8dd2501138f153be86d1fbf31ef5cfe6dc7f4e4460c661ee4e8138ba4555a4487a
-
Filesize
23.7MB
MD5d5a00f7db6050da8ae4c2479d91521a3
SHA1f292bfc17312178cc2b7621401f40eb84032669d
SHA25601e7b47ee5280a0f1df160b2d823857793410be6c999e89de6c5362e9f97273d
SHA51232d052ceb707f6d41bdd018f03bb52fae535382463922025bc89702f935e4c9f36762a7a554b1970341e84b73a3871d39087ad5420e245d71d5cc3c2782582a2
-
\??\Volume{8a2a71c9-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{4c34e9c7-33e9-4a73-84f8-f7ea1f1319f1}_OnDiskSnapshotProp
Filesize6KB
MD5e206e030da0345b3b39eaa27cb953762
SHA1a70b90bcd86d3dc450a58db89395f37360edb130
SHA256e1570d974f7b192dbf9de58ab77e72e53fc5187a3df3556100fa2e0769936827
SHA512567f3fd137b60e85d622f05abc191da83a09edf94575de54b76699baaa3430c919a1edfe5e203a85d23d5bc9907cf93ff22a887b3cebb009ca26cd583d3bfe0d