Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
23/05/2024, 22:02
Static task
static1
Behavioral task
behavioral1
Sample
9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe
-
Size
3.1MB
-
MD5
9430495586dfe4a24ae4cf6188e8d350
-
SHA1
77b756ab97064821865fa725e193c8522c12d3f3
-
SHA256
2e66ca6006148af46c6579d4c58a0197f4ab73a291e3c78e6e6178d8f878aa16
-
SHA512
6b13a10e5e91e262403d1d601ad62c4abd8834e2bbd27f088c7496c9a18e131bcf6a566dd77963571a4d10aa93db3a8da049b62f16ebd1b60cd382227bb703dc
-
SSDEEP
98304:aHgNDfXQ1veFPk5FaoCRrgGUDx9w7izY0a:XDfgZeVmCJWlSee
Malware Config
Signatures
-
Executes dropped EXE 24 IoCs
pid Process 1636 alg.exe 3168 DiagnosticsHub.StandardCollector.Service.exe 5004 fxssvc.exe 4396 elevation_service.exe 2968 elevation_service.exe 4032 maintenanceservice.exe 5000 msdtc.exe 4368 OSE.EXE 4960 PerceptionSimulationService.exe 1416 perfhost.exe 4220 locator.exe 896 SensorDataService.exe 2476 snmptrap.exe 1600 spectrum.exe 3636 ssh-agent.exe 2076 TieringEngineService.exe 4432 AgentService.exe 640 vds.exe 3432 vssvc.exe 2692 wbengine.exe 1792 WmiApSrv.exe 4836 SearchIndexer.exe 3720 VCREDI~1.EXE 1948 msiexec.exe -
Loads dropped DLL 1 IoCs
pid Process 5168 MsiExec.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" VCREDI~1.EXE -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\E: msiexec.exe -
Drops file in System32 directory 36 IoCs
description ioc Process File opened for modification C:\Windows\System32\SensorDataService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\dllhost.exe 9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe File opened for modification C:\Windows\System32\SensorDataService.exe 9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe File opened for modification C:\Windows\system32\vssvc.exe 9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\b594c12392be0f3e.bin DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\SensorDataService.exe elevation_service.exe File opened for modification C:\Windows\System32\msdtc.exe 9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe File opened for modification C:\Windows\System32\snmptrap.exe 9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe File opened for modification C:\Windows\system32\fxssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\msiexec.exe 9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe File opened for modification C:\Windows\system32\spectrum.exe 9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AgentService.exe 9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AgentService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AppVClient.exe elevation_service.exe File opened for modification C:\Windows\system32\AgentService.exe elevation_service.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe File opened for modification C:\Windows\system32\locator.exe 9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe File opened for modification C:\Windows\system32\wbengine.exe 9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe File opened for modification C:\Windows\System32\alg.exe 9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\SgrmBroker.exe elevation_service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe File opened for modification C:\Windows\System32\vds.exe 9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AppVClient.exe 9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe File opened for modification C:\Windows\system32\fxssvc.exe 9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\dllhost.exe elevation_service.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe 9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe 9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe 9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe 9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe File opened for modification C:\Program Files\dotnet\dotnet.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe 9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe elevation_service.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log maintenanceservice.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe 9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe 9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe 9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe 9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe 9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe File opened for modification C:\Program Files\7-Zip\7zG.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE 9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe 9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe 9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe 9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe elevation_service.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe 9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe 9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe elevation_service.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe 9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe 9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe elevation_service.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe 9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe 9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe 9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe 9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe -
Drops file in Windows directory 61 IoCs
description ioc Process File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240523220242672.0\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_6e805841.manifest msiexec.exe File opened for modification C:\Windows\Installer\e578c71.msi msiexec.exe File opened for modification C:\Windows\WinSxS\InstallTemp\20240523220243047.0 msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240523220242719.0\msvcr80.dll msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240523220242719.0\msvcp80.dll msiexec.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240523220242812.0\mfcm80.dll msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240523220242969.0\mfc80ENU.dll msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240523220243125.0\8.0.50727.42.cat msiexec.exe File opened for modification C:\Windows\WinSxS\InstallTemp\20240523220243078.1 msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240523220243047.0\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0ee63867.cat msiexec.exe File opened for modification C:\Windows\WinSxS\InstallTemp\20240523220243125.0 msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240523220243109.0\8.0.50727.42.policy msiexec.exe File opened for modification C:\Windows\WinSxS\InstallTemp\20240523220242812.0 msiexec.exe File opened for modification C:\Windows\WinSxS\InstallTemp\20240523220243078.0 msiexec.exe File opened for modification C:\Windows\WinSxS\InstallTemp\20240523220243094.0 msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240523220242672.0\ATL80.dll msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240523220242719.0\msvcm80.dll msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240523220242812.0\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_dec6ddd2.manifest msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240523220243047.0\vcomp.dll msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240523220243109.0\8.0.50727.42.cat msiexec.exe File opened for modification C:\Windows\Installer\MSI8DA9.tmp msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240523220242969.0\mfc80DEU.dll msiexec.exe File opened for modification C:\Windows\WinSxS\InstallTemp\20240523220243109.0 msiexec.exe File created C:\Windows\Installer\SourceHash{A49F249F-0C91-497F-86DF-B2585E8E76B7} msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240523220242719.0\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd.manifest msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240523220242969.0\mfc80CHT.dll msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240523220243125.0\8.0.50727.42.policy msiexec.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe elevation_service.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File created C:\Windows\WinSxS\InstallTemp\20240523220242812.0\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_dec6ddd2.cat msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240523220242812.0\mfc80u.dll msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240523220243078.0\8.0.50727.42.policy msiexec.exe File opened for modification C:\Windows\WinSxS\InstallTemp\20240523220242719.0 msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240523220242969.0\mfc80KOR.dll msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240523220243078.1\8.0.50727.42.cat msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI926D.tmp msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240523220242969.0\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_3415f6d0.cat msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240523220242969.0\mfc80ITA.dll msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240523220243094.0\8.0.50727.42.cat msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240523220242719.0\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd.cat msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240523220242812.0\mfc80.dll msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240523220242969.0\mfc80JPN.dll msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240523220243047.0\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0ee63867.manifest msiexec.exe File created C:\Windows\Installer\e578c75.msi msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240523220242672.0\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_6e805841.cat msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240523220243078.1\8.0.50727.42.policy msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240523220243094.0\8.0.50727.42.policy msiexec.exe File opened for modification C:\Windows\WinSxS\InstallTemp\20240523220242672.0 msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240523220242969.0\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_3415f6d0.manifest msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240523220242969.0\mfc80ESP.dll msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240523220242969.0\mfc80FRA.dll msiexec.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe File created C:\Windows\Installer\e578c71.msi msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240523220242812.0\mfcm80u.dll msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240523220242969.0\mfc80CHS.dll msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240523220243078.0\8.0.50727.42.cat msiexec.exe File opened for modification C:\Windows\WinSxS\InstallTemp\20240523220242969.0 msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000f9c3b1b881b13bb50000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000f9c3b1b80000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900f9c3b1b8000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1df9c3b1b8000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000f9c3b1b800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001a3e90e65cadda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d7f9a8e55cadda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b\52C64B7E SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a msiexec.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000092f45fe45cadda01 SearchProtocolHost.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2A\52C64B7E msiexec.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d6a1c2f35cadda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009f4711e45cadda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fcb797f35cadda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000063f392f35cadda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe -
Modifies registry class 45 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\ProductName = "Microsoft Visual C++ 2005 Redistributable" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media\5 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media\8 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media\1 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.OpenMP,type="win32",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 2b0078003f0076005d003500320070005d003f004400700030005300440043006c0021007b006300560043005f005200650064006900730074003e0035006f00300068002c0070004d0076004e003d00650038004d006b0062004900640046007700550000000000 msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.ATL,type="win32-policy",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 2b0078003f0076005d003500320070005d003f004400700030005300440043006c0021007b006300560043005f005200650064006900730074003e0036006b007d00700048004c004800240053004400650038004d006b0062004900640046007700550000000000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F942F94A19C0F79468FD2B85E5E8677B msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media\3 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media\7 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media\10 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media\11 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.MFC,type="win32-policy",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 2b0078003f0076005d003500320070005d003f004400700030005300440043006c0021007b006300560043005f005200650064006900730074003e003d0024006b00600049004e005d00490038004300650038004d006b0062004900640046007700550000000000 msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.OpenMP,type="win32-policy",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 2b0078003f0076005d003500320070005d003f004400700030005300440043006c0021007b006300560043005f005200650064006900730074003e00370030002d0054002400210028002a0026004e00650038004d006b0062004900640046007700550000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F942F94A19C0F79468FD2B85E5E8677B\VC_Redist msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\Assignment = "1" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\Clients = 3a0000000000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\AA5D9C68C00F12943B2F6CA09FE28244 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\PackageName = "vcredist.msi" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media\DiskPrompt = "[1]" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media\2 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\PackageCode = "FA1F9ADB128EB664EAA9BA3CE244C0B1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\Version = "134268455" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\InstanceType = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media\6 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.ATL,type="win32",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 2b0078003f0076005d003500320070005d003f004400700030005300440043006c0021007b006300560043005f005200650064006900730074003e00700052005e007000580049006000510075006f00650038004d006b0062004900640046007700550000000000 msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.CRT,type="win32-policy",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 2b0078003f0076005d003500320070005d003f004400700030005300440043006c0021007b006300560043005f005200650064006900730074003e0061005a004f002c0048002a004b00320060004500650038004d006b0062004900640046007700550000000000 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\AuthorizedLUAApp = "0" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.MFCLOC,type="win32",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 2b0078003f0076005d003500320070005d003f004400700030005300440043006c0021007b006300560043005f005200650064006900730074003e006900450024005b004d00310025002e0064002700650038004d006b0062004900640046007700550000000000 msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.MFCLOC,type="win32-policy",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 2b0078003f0076005d003500320070005d003f004400700030005300440043006c0021007b006300560043005f005200650064006900730074003e006600720038005f006c0028006d0032004e004400650038004d006b0062004900640046007700550000000000 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\AdvertiseFlags = "388" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\DeploymentFlags = "3" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.MFC,type="win32",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 2b0078003f0076005d003500320070005d003f004400700030005300440043006c0021007b006300560043005f005200650064006900730074003e0021004d00210026005a005a006300300025006e00650038004d006b0062004900640046007700550000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F942F94A19C0F79468FD2B85E5E8677B\Servicing_Key msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media\4 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media\9 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.CRT,type="win32",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 2b0078003f0076005d003500320070005d003f004400700030005300440043006c0021007b006300560043005f005200650064006900730074003e005f006a0030002c0059005d007300210053006f00650038004d006b0062004900640046007700550000000000 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\Language = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\AA5D9C68C00F12943B2F6CA09FE28244\F942F94A19C0F79468FD2B85E5E8677B msiexec.exe -
Suspicious behavior: EnumeratesProcesses 51 IoCs
pid Process 3728 9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe 3728 9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe 3728 9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe 3728 9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe 3728 9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe 3728 9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe 3728 9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe 3728 9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe 3728 9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe 3728 9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe 3728 9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe 3728 9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe 3728 9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe 3728 9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe 3728 9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe 3728 9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe 3728 9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe 3728 9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe 3728 9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe 3728 9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe 3728 9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe 3728 9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe 3728 9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe 3728 9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe 3728 9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe 3728 9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe 3728 9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe 3728 9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe 3728 9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe 3728 9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe 3728 9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe 3728 9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe 3728 9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe 3728 9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe 3728 9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe 1948 msiexec.exe 1948 msiexec.exe 3168 DiagnosticsHub.StandardCollector.Service.exe 3168 DiagnosticsHub.StandardCollector.Service.exe 3168 DiagnosticsHub.StandardCollector.Service.exe 3168 DiagnosticsHub.StandardCollector.Service.exe 3168 DiagnosticsHub.StandardCollector.Service.exe 3168 DiagnosticsHub.StandardCollector.Service.exe 3168 DiagnosticsHub.StandardCollector.Service.exe 4396 elevation_service.exe 4396 elevation_service.exe 4396 elevation_service.exe 4396 elevation_service.exe 4396 elevation_service.exe 4396 elevation_service.exe 4396 elevation_service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 656 Process not Found 656 Process not Found -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 3728 9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe Token: SeAuditPrivilege 5004 fxssvc.exe Token: SeRestorePrivilege 2076 TieringEngineService.exe Token: SeManageVolumePrivilege 2076 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 4432 AgentService.exe Token: SeBackupPrivilege 3432 vssvc.exe Token: SeRestorePrivilege 3432 vssvc.exe Token: SeAuditPrivilege 3432 vssvc.exe Token: SeBackupPrivilege 2692 wbengine.exe Token: SeRestorePrivilege 2692 wbengine.exe Token: SeSecurityPrivilege 2692 wbengine.exe Token: 33 4836 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 4836 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4836 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4836 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4836 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4836 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4836 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4836 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4836 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4836 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4836 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4836 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4836 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4836 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4836 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4836 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4836 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4836 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4836 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4836 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4836 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4836 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4836 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4836 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4836 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4836 SearchIndexer.exe Token: SeShutdownPrivilege 2700 msiexec.exe Token: SeIncreaseQuotaPrivilege 2700 msiexec.exe Token: SeSecurityPrivilege 1948 msiexec.exe Token: SeCreateTokenPrivilege 2700 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2700 msiexec.exe Token: SeLockMemoryPrivilege 2700 msiexec.exe Token: SeIncreaseQuotaPrivilege 2700 msiexec.exe Token: SeMachineAccountPrivilege 2700 msiexec.exe Token: SeTcbPrivilege 2700 msiexec.exe Token: SeSecurityPrivilege 2700 msiexec.exe Token: SeTakeOwnershipPrivilege 2700 msiexec.exe Token: SeLoadDriverPrivilege 2700 msiexec.exe Token: SeSystemProfilePrivilege 2700 msiexec.exe Token: SeSystemtimePrivilege 2700 msiexec.exe Token: SeProfSingleProcessPrivilege 2700 msiexec.exe Token: SeIncBasePriorityPrivilege 2700 msiexec.exe Token: SeCreatePagefilePrivilege 2700 msiexec.exe Token: SeCreatePermanentPrivilege 2700 msiexec.exe Token: SeBackupPrivilege 2700 msiexec.exe Token: SeRestorePrivilege 2700 msiexec.exe Token: SeShutdownPrivilege 2700 msiexec.exe Token: SeDebugPrivilege 2700 msiexec.exe Token: SeAuditPrivilege 2700 msiexec.exe Token: SeSystemEnvironmentPrivilege 2700 msiexec.exe Token: SeChangeNotifyPrivilege 2700 msiexec.exe Token: SeRemoteShutdownPrivilege 2700 msiexec.exe Token: SeUndockPrivilege 2700 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2700 msiexec.exe 2700 msiexec.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 4836 wrote to memory of 2208 4836 SearchIndexer.exe 111 PID 4836 wrote to memory of 2208 4836 SearchIndexer.exe 111 PID 4836 wrote to memory of 920 4836 SearchIndexer.exe 113 PID 4836 wrote to memory of 920 4836 SearchIndexer.exe 113 PID 3728 wrote to memory of 3720 3728 9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe 117 PID 3728 wrote to memory of 3720 3728 9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe 117 PID 3728 wrote to memory of 3720 3728 9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe 117 PID 3720 wrote to memory of 2700 3720 VCREDI~1.EXE 118 PID 3720 wrote to memory of 2700 3720 VCREDI~1.EXE 118 PID 3720 wrote to memory of 2700 3720 VCREDI~1.EXE 118 PID 1948 wrote to memory of 6008 1948 msiexec.exe 128 PID 1948 wrote to memory of 6008 1948 msiexec.exe 128 PID 1948 wrote to memory of 5168 1948 msiexec.exe 130 PID 1948 wrote to memory of 5168 1948 msiexec.exe 130 PID 1948 wrote to memory of 5168 1948 msiexec.exe 130 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\9430495586dfe4a24ae4cf6188e8d350_NeikiAnalytics.exe"1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3728 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VCREDI~1.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VCREDI~1.EXE2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3720 -
C:\Windows\SysWOW64\msiexec.exemsiexec /i vcredist.msi3⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2700
-
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
PID:1636
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:3168
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:1700
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5004
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:4396
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2968
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4032
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:5000
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:4368
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:4960
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:1416
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:4220
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:896
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:2476
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1600
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:3636
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:3624
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2076
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4432
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:640
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3432
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2692
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:1792
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4836 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:2208
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 804 808 816 8192 812 7882⤵
- Modifies data under HKEY_USERS
PID:920
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:6008
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 344A911DBD52B7404814080791264ED22⤵
- Loads dropped DLL
PID:5168
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
27KB
MD559d6349e75d72fc02c1dc7e4bb05ace5
SHA15ba3c35d26f48943c7cb3a3f9b7a901768e45cfe
SHA25647ee9d390df1a857826cd9e27aa22d1cdf364a6fbbb4146a35f76c525a6c1379
SHA5121e7a41cd9f59b8871b6574dfbabe3df0fb4863588a4345a2b35e2c5dae68802be896b35fc484baf6010c04918fb71a95ae4ce5829830d1636bc495e949ccfb08
-
Filesize
2.1MB
MD595fde8f184ee414e61df46269033ac76
SHA17d3941077511a697e789295a3b270dec9404fce8
SHA256118011eacdbd1d8dcf02ecd398d39c9d22112ddcca648ce79360bbc279b13451
SHA512bf8fe7579d1ef8c3043c580238e86e218bb687e6c9c7d9844948279964a561054ea7313ac041db744e82c548ed69ba0f6f844c4adaa5feb62446258d78428baf
-
Filesize
797KB
MD5b31dede3e4c45045e1d54685a8849556
SHA1c19606647adf4c954a7008228c63d3de98083ce8
SHA2563a03ba42273b288e436c7da3835c897195c910d91dab2b861364fbd4e3c3e7e4
SHA51298b982ec8afae12f4331789c8ad67f3c0dd4d386b1a1a18524dc5cb7fd1dc7ea46b3ba7f061b4a98d7d04cfe32a08af52865c19ebb444536bae7e941655cca85
-
Filesize
1.1MB
MD50a1cb312093b5fd4f49d9658e5262e10
SHA1dd3158ee696014fd01b45cff862702c937591c02
SHA256d38107f6ce2d1600cc26fa5e79386a027f3274b0aae22f7f6202977b51366eec
SHA51202e8074278a34ee216ab8556e4eb1bf8fd324575d7ca9b3559d85ca927cb4b984c5e079a2c7ce7f989afba336ee9b70af1fe982a7924397b36630a625c130d0e
-
Filesize
1.5MB
MD5499f8cbc47b4387c1acb5d59187fc306
SHA15c76242cb44df03423ff532c8269383513c887b5
SHA25674b03f1e28602528cb7b8f28ecfa8572a6215db95996d074ca2867ccd29c0a4e
SHA5128049aaa8fef0df0ad6cbff3acffcc29c6470d541da3dc70d1fea079d24a5b03a03fc46ea457fab6f921658e13e0a647a095e3196e7f6d91ac46a0ae5874988bb
-
Filesize
1.2MB
MD58e98b2905e0e33737f073efae61c561f
SHA1d68584e6f34af2d098f061b3d27bc7a9af474055
SHA256107cfe46a25b5414446c0fef602e003bd2275ee9496e91e3bf1fbd5e0b222d8a
SHA512d25b7daf4da187f12aeb2ccac3d8dfc7bb84477fdaab94fb5cf53c879d9448d0e0d51dabcf34863d7c8de18d0e4a7c0666aaee17596640ec1898f516bf1f333f
-
Filesize
582KB
MD50f7fd39d5588cd006ea79d631d8f7e36
SHA175eb839a56b46805be94213ef35ee26f4affd9c7
SHA2569e37a46a272f48a68ab6a0ec6c76ed110429f83b8ec96802034d70108e9b7c32
SHA512276c32c5ba70e0c5f994cc094654cc60560f1207571f7beb3e3022b37e7180e51acccf4be9ee96d9853b4998721d98efa31ed07530c60a31a982992f772e27b8
-
Filesize
840KB
MD52cf0e4738416c262751cccd7d7c9bb79
SHA1fefd6512072c522b311bdcc0d56c9ff5e89669dc
SHA25650e27898bc18d3e1e6903a1bfd725eee0437054787379b8039b543585eab6e9b
SHA51294105e540cd7f56098ab6fbb4706436de03f5fb5abd17633de7211ed6dc1cb443e1e77629ca774eaf3dcfc48c5376a07b78a4ff2d86f38b5826eeffe1aa83d03
-
Filesize
4.6MB
MD544b62fa8461c52fa82efa6b3c32259d3
SHA1121f2ac6b01a246798b0c8977c17651a88b604f5
SHA256ea84e6c0da49ae8cbf08132c9f39aec1ede0d6c95113ce44c52d7d62fe182c87
SHA512fd563e0b2b64017f4256208763cd8523b276710b8c49f9f2f39cbf159fad82146bbcd747c10b1aa69fb7e9148f49cf56cf03d38114b4ba6dbb511da21a82e6ca
-
Filesize
910KB
MD5bb15e6c6cf1ee0c1c529cb76e5ca9b4e
SHA1dfa4416040fd734d6f22b91552bcc33f7eb395e6
SHA256df9a66e6fc72571351f51b045c98e338a66d0a8db7d3741c9c7dc81204fedec6
SHA512bbe7eff7457c7a8c74aa73dfff4daeec56423f48777c718a09d3f8dc89b5f330423eb2eb8f03daa344cb07c5ed5644321cc88890b1936e91bce221945e426a4d
-
Filesize
24.0MB
MD5535f86c17b58693c90ca4a16d8f86840
SHA1da22b2f36223d9faa12a7482dab683a95cadb07a
SHA256f78e5875e9cf7f3c5486be0c19914ef60c7ddabfc1d632ab20e195d4404313ca
SHA512ad4901b7848d42b350a87433917fcd58f994098c8056766624b7211bf096d8138783d689a5a70519ed0a234f23484190407fa36c9ef6ee322bc2864ab2ff3b78
-
Filesize
2.7MB
MD519966849d9d110725e83f58882b5ef0d
SHA13581b3a14a250e0a1fd24bd03c94792703a0029d
SHA256c87e64db76449cb417a94d3df255b24c50219b249b04220f13e194655c9f4522
SHA5125fdb0f4b2f98a44416f3ff3bd8ce653373fcf41822bbdad5b49848bf79bbf1ec1d3cb3e41c401d7d4527572b06ae1da9a3ff22adbf6322059e47f044526b8635
-
Filesize
1.1MB
MD5d626296304e90f188556aece452fd1d6
SHA1246d67ce383007fb5d09fb4ebb95eb1656fca6ae
SHA2563e3f4ffd17a065f373fcec7577ed0d4db1021e3c746e5c627dc3672fb40299a3
SHA5129a8439fb2cc3d61a7c2669306d5f9485882ef816806dc4d426b732e5bde2106c1453da265b743c4afb0d15192ac84f9c20651ad18d816623baaa2f836eb429b5
-
Filesize
805KB
MD5f6d899e76914df63aec93c25b1d148a2
SHA1faef53fe21930f4b5644496d3157f3a948e051b5
SHA2561f4db2db2242ef8558eaa39c44185a92193d0355edb615b1d389ced035a5be6c
SHA512153833b548b1c69010c22456cfb2af24a23242482a97ece38c53225f8fd4d7024d63722c23e81a3540241fa07f1c8cf036a12ec461ade2fd444c2871083e9de0
-
Filesize
656KB
MD59065b2477a0fd32bca23cb7029a17a4e
SHA1f0064a54a982033317b61b39e2b63dd4d6289ada
SHA256a7e51cfd831bacacff5468a2dfae7afa3bd6dae22b11773beca68f5738733b6b
SHA512c04f948f26d4ff945dd6d742292f155dc07fba8f1debbe02097109673028959b5faad1a757e4b000b3a3f1c4f0470be1f891a895d5c9a4029c0382709cfc86a0
-
Filesize
5.4MB
MD59ebb7f26a7d5abd0c39c3b14fdd95f7e
SHA1c24f815a1209a460fab1209935aaa46d4c385c6c
SHA25671a44f23fb3438c6d60a9ff4d050c0574577c63d4246ad3186a1ebb7723168f6
SHA512c0acba934b6a5b939d06f9024689a98b85ff3978aaf2b08dd959a21579a3d0c228b4d75ba1733b0ca26cd9570f088806170ef53332ad047f86b909dbd2e0d343
-
Filesize
5.4MB
MD5cb0add2f401130df8a315f38f3d05285
SHA16abaedf61127f42651a585184aaba6d47be8c8d1
SHA256a42ab043d20fec1402b052b9008a142676145b2f07b6de69c4161847a3bbd4b9
SHA512a0ded634127567c7e4b07ace59041d0b445797d23a424ae05b4b4a5785d76bbd0843d1c2458e3aa657d557ae5395c311311fba5e80520b7ecb0689af3a3e2e48
-
Filesize
2.0MB
MD5249e9d5af8762aa4068cecfb4a47aa22
SHA12499e99510d70f13e285858ae583bfb7d6763a2b
SHA2564793a8163a8e2c667abcdbc73325882153c12e44fba0d280c9aba3d9736670cd
SHA512c744151072c75c1335bd84a4fd49013f725e03b0fb65aea8230c5c1ac18ba0c616d6af116d9f465c70995705bf8d2c5034e6935602ebbda1403b474c6334c7ea
-
Filesize
2.2MB
MD5ef4f756e71f5ca6262066e9dc7c7946a
SHA163e1a51bb54e13376bce2d131f85be861e37a5eb
SHA256c6fcc4e5f2b97859c9540250235e735e6cc4bcaf8df92d68a8336dce64d370ea
SHA5120daee377180b3c312876ae1e1e846fa5cf873aebe048e83355b6f77500fe71033d9b196b28f13b86c050599c404c12a8ee28f3c62290f704eddf614d0789aa0f
-
Filesize
1.8MB
MD526e0ebc1393416df6f8064ed12374e77
SHA1c9d5c038b0ab5f9d7a3df4b619c0337c2c6fba9f
SHA256a8a2a36959753d91f6c47a182829250e4f9cfb43ffd17e41c80bbb346aa3c48a
SHA512cfe946e2bba6c0942616ee05f4264c2c2fec3f6a10b49a1ff707ac52d1b75951d291c5e32a550fff7a158c9ecfb8fece1b6288eeb0786a532f4e01f69f20e81d
-
Filesize
1.7MB
MD5424c1c6a70600cc9cb4124e095ca8b77
SHA1f6d7b2af274f241ffcabca596a8f6ebeca03e39b
SHA25667df0490699c6892474fd7da1e84f4f3da1bb6e201dda2c8268db9bc209e5f10
SHA512b0bf5458a6afb28f384610061d2ab7235b4d44267fe7a6fcbe38d8e6e6a73f590edd5a28a8a4cdeea501341ed40eefadc21aa4a548332d601b57df0f8a6423f0
-
Filesize
581KB
MD5e868e2c57cb8475c967283ead7b22746
SHA126fc6b4073ea3a3d8be74b5863c7ca6ea84d6c61
SHA256c9360c57563ec86c2c064f7b1ec37e7489f1751da530cada4c71806bab0f8ff2
SHA5124dd867d533a9ba706649353d87637356168514b91f6acd0fb4fa3506c2fdae6228efbdbab02549074527d6f809e72a0ca4b15652258a841cd51fde76f79d3a85
-
Filesize
581KB
MD522364536aed736e7fb672a42871245ce
SHA12d1e3036949f8aea5e3a43e39f1cea457e537dd7
SHA256523382af7c4dd442377227817d5603d6513836b3ee1a11a1cbbb6b3a451895a5
SHA512a2ca99c65ac6e1bdb132beae39352cea02360514b2831ec6987f7efad0b619f970e998009e9a4940d9015b7254ead1d46cd37922fc5d34b544ff5faf2f73be5e
-
Filesize
581KB
MD585538cb2e4540c0348131c58ee9c6171
SHA1af7e78b01f8c192ce560cdf447af733d5aedf436
SHA256937cacc484020d904af97cd32338115cbd3d0ced301ab65110865068b90f47c8
SHA512da24f51d54ce8c62eadb334f83391d987106dbfc5b31f4dabb86fa53c3442804846fa1b4f29bd9a77f94240ad6093a59bbf249c12815b273efe55efbc369df7d
-
Filesize
601KB
MD58448c876aa04cfe47e31d7bbbd17f8bf
SHA17791149159685b2d0398480d448b95171a997145
SHA256b8645d55a550f376425f996850b37fa5189522920db761ca18d7411cf0c8e106
SHA512646a7cf813324392a646c5947e08d7785ac4883f1965a569a97e3936db314d626ea3a9a2b7e4d917b8af3975ea2394bf728577a2d9c8e1e985581db18e8d5d23
-
Filesize
581KB
MD5c99627a7f4c72cb94dfd100c0621e36e
SHA17c007251dffad302ac158d657adfa0b0c45433c7
SHA256f14b94a78a48725a6aef8f85e16cde47a79c70f20ddb5af3afe411ebc1144fe8
SHA512b892e6f21e0c72c4e3efcc8b7a494bb5b252d2e0c29ef68bde54511846f2e53cd8626c4637833653f97caa7e94cc13dcd8d5020b0db7a31cc161b9d4c59be7bf
-
Filesize
581KB
MD53df72be0b5918f2c6d459f82572d49ba
SHA177366b435ecf2f0c70d5a57ea161f21ee083fe0d
SHA2560912ee5ec644b366cc8b8677d965bb7c07b002e319544a711979460a45dcfaca
SHA5123a6fe97b69d71de9eb023f3094fa7782b23cc247de1fa985765b0cbedca2818d0dcd5d49192e12c1cc1da47bd5a3ba0f0eff8bde7cde7d86d0bb3131d8bdb863
-
Filesize
581KB
MD577723ec71f7ad12becbca77cbb39ef75
SHA1bd4c758eb6c43d6728234d7a7d8f6e7b764f421d
SHA256f75c977206d00e668442835be7fc5adfe72db25924c90cce2f3a06346739b9e9
SHA51233542eb47b69573f6458979a2d5f79efcc3a692ded84f9b371fc294327b4c0b5c06508b94dd99b933df6811ad8b39786bcd73ceba0b39594aef1e00abe5c9e64
-
Filesize
841KB
MD57afa63bfeafe1656675064767f71e2ca
SHA14a8bff7fbf7289ad7b8fb9dd74bcd5105f7d1ce6
SHA25697e0af47ee39351b22c40ec936c36083006107077a0273a3ffeb7af0ae76e64f
SHA512f6bf9444246e31faf4a48ea1d5258b5bd90b0cee333a813f6ad7b9570ef185ca73b32adb6f50bb023482ce42b4071a70a9c0115a0dcf4b4f357355b612746bbb
-
Filesize
581KB
MD5f52a928581d6c9f4b8e763676bb8a09a
SHA1cba806afa75189138eea74a7c2d317628f546881
SHA25628afebc227738a714d6be7eefb9d7dee07ba377918984f8fc6083298537d8347
SHA512310d44e6c0b3fb7ac6ecd143a960a9f3b9934867d9f8c91d0f42d3938c6ad87d2231c5a1c5515bcd602b95751e186f459f3bb55c93a60b9449c7f858dbca7226
-
Filesize
1.5MB
MD5638c6d4f694807719bc0cc8fe294009a
SHA13dd79a46d06c091dba1e9726b695aa2c67323747
SHA256d96f95ef5853768796d1fd1affe0e0c7c099d23e4bafa32458a66af107a784dc
SHA512f5bf197aad1df095dfd4ebff076ae9c28b48d46c160574de606d09f7c20edf79d84a1a4542ff8aa788ddeda17be9b69b0c5e47535ebb949492162d7aa07b48cf
-
Filesize
701KB
MD502b9456652a987f9ad113091a620fb48
SHA1c9c6b37f4d3523e18772241c43b6c6f58016e1c6
SHA256477d69ac97463bb27842ea01fc484ef34193a882b46e83d9601a8a47314d3523
SHA5128c1dad6ca2c2f865220a8c8ea9b641df33cf2bd17f07c04f7809e62bb8177524942545bc3ccf5050f6c7d796d04a2021f8117f1a9ec116ae5dfcecdbbd88d88b
-
Filesize
2.5MB
MD5f031c0d2b460209b47b91c46a3d202fe
SHA195040f80b0d203e1abaec4e06e0ec0e01c507d03
SHA256492826e1aacd984a00dd67a438386e4de883cc923cb1f25e265525a4cf70ed7b
SHA51218840649d19c5310d274bac69010514872a554bb5ecadb4af5fa3667ad1a6bf9d644b31393edbc1b60ace6eff907c79c078f8213948cf90fa4d1529c68ccc629
-
Filesize
245KB
MD500d3bf1c1e82eee48fdf3361dd860e19
SHA1b2f45cd2791ce178b45b06a95e7f58f298512d6d
SHA256f2ce7873a39f7f8a2a2cd888a6b2f0a25f62bb3c475ee73cfe54988982ef65de
SHA512cf5c06c4052b103d0a339d5535db2d8a9f069e928ee8c985f03e321b7e1977ff2f2200ad15671d6e93b9c706bea7586cd3df11fdbaaaf8c63a0ea4291431bca5
-
Filesize
2.4MB
MD5b31b234cb0f534069ba32aaaeacd7b2d
SHA1d6f90459f8bdbf7e75cc85affe9b137dc5e304e2
SHA256b5a652a1025f194f59e1349a1f26709d7ff7760067439b2d52d988a55d9340f0
SHA512138cb14f6018d3bddd78012c5b36a591fe70d1b2b7f9d3774230639302401be57e1a4d6098c66a83c47e67138ac6dbe79f64548e4c317bb804a4e9a3ffdf94ea
-
Filesize
24KB
MD57bfa56d222ecc4267e10c01462c6d0d9
SHA19b3236a45673ff3bb89df3e690784b673ae02038
SHA2566eeb255e1d5333a7b4f1b62e36afa1bea5cfd6c7e32058bb3a9efebc4d9f2ad6
SHA51210cec6bfd08a8b7cac1acbc3627cb014554ba71f44eb4bfe5b1471b81d6d292fd83a352d553af0de75fc1668a1f13d7f6f6c7bf1c6524117f363a3a7fc9b09e9
-
Filesize
588KB
MD574635caaf4a016d34f9f2bbeef679824
SHA11a1e54893030fd88fc19a1b361622a029a2c5f44
SHA256a768260163de152aa94096761aeab0d790a281a76a55be452bda30e322eb7b1b
SHA512ba28b5f63bdde272ef47ce022cd56e9bd8765e6ab9c74220f3e017dcc54108fe883066fd4bd45fcc35222272e89fcbc2c4c4e03015a7c8a8d2dcf792275c9e75
-
Filesize
1.7MB
MD54c6dfa76e025d6c5ef92db99bdaf479e
SHA181cc3eb7a44f9f75e4c4f78705354ca6fea9eb40
SHA2567419e023d41a7d91546059b3b338ff8c873a749826a7235ed1337680eedef91a
SHA512d0cf0a9c91fb974a329b2fe000ef0a1cdce08bc6b041438ed35791a70b495ef453678c5a94537b75f6fa18effb275051d21f186c11b6dca75c0814ac17377239
-
Filesize
659KB
MD5e08623af290b886661d615efe931ad47
SHA1bfba8238a62b5639512f419fde0c84241feaec84
SHA25671b7dd009bdaafe8452ed53a3320094d913f57dd34ae9f243cd81d357283b0ef
SHA512de9db0525d8c42cc6381d3b105969316086dec814470cea3b4998329b8c8915954b87ac1b7d744ef965bd694ce373a900babc37816942bff5cb9848425ef4ed8
-
Filesize
1.2MB
MD5e8f458fe826e94883c40685970adf63a
SHA1e13939984aaca515a5b2d1334a4efec9bde2bad0
SHA2566524e3a5f03839f412c4af96c43f3f1efaed5184be3458f920e30c52ff839d9f
SHA512c4606a7934d901d4db6b051828b949e911a3f13169a30b808200418ebb5050c8556f6db1415b0788b7cef88593a9a874a8a71d720b6b0a252eabbc6037bab589
-
Filesize
578KB
MD56b95202331b91ea97d9b5fa97bb1ed74
SHA1337e6c9bbae5b9c8ab410a018d8367e55cb7fac3
SHA256a35fe39b5368f3b994cb1027729b3eefb19d0ee67944cda4939182e0f35bf139
SHA5127ef79d6d1de727c44f98015d51834a8e72ccfb12b285da9b3f7bd9a2ecb61d327de95f92a6142d3eeb4eec30af7831c4aee78195e5e00927135363ced56c6606
-
Filesize
940KB
MD50aee483fbeee9145ef857152d9dbe5e1
SHA1c7c8f45bc503a5ee4421b8f196b83dc55a10e064
SHA256d5b0289c494990a97445c3178ef6d1917aab61a859a5d8c5fa5e5d04fe16edbb
SHA5129e98a95e8e0ab2516b3e0daa45e3db731271dab5d961fec47927569cafbf287face8a2df589f257670b59796345cd3184e16a5bb0bce9004a31cb84a22e39f7c
-
Filesize
671KB
MD52821e0a330b2ae2895297a99789623a3
SHA153557c17e1ca412285f6d5fd5db44019b10bb205
SHA25618b3a856c589e56789eeabaf4c5c59af94cd7d2fe826916cc74dff523095611a
SHA512029c834da0fc8e11ea9873112cd93b9aa1dd7cbfc5cd78b24c254bb805642f90981f3bc11df9a09d9aee29c7b63bc1d9e760eab48dbc4b8b563c3453e8e652fd
-
Filesize
1.4MB
MD5b82d4104be63f1f0ea6775a9344b27d7
SHA176705c52132ce21c6e241b0d7237c96fc26fe128
SHA256f1d087cd06f6bbe1db708ce3be107869fe3bc53d019bca68a57fe1294e0a82af
SHA51228b6851cf801789ffc61867e50e436c217d308abe898bc346d6d61b39344ef4f2f5dc5c88292361422cf3f14556c1b1fcd86e93fd47901315499350e5daddc38
-
Filesize
1.8MB
MD5fbb6f9c2ec36b23ab7369d9afce352a1
SHA1af84a173277371701c91ee6ea732df4f1aa164bd
SHA2564bae144aa6a81d4adaa5987af6c0fdf9e8439d784ae1440b8680521cff3db305
SHA5123d0137edd6775b70540993983a528f8224af4fbfa2be6a9c143db4bb6fb54eb73f55ba7031454a64d7f753778f8395a08fcd2e72790e918f85d5451f1ef6109d
-
Filesize
1.4MB
MD5f3de35e634f5692c8b755e1a52a5a0c8
SHA18134ded52245e2d7a0bb2ec18724b0a5e8c3f995
SHA2562b1fb3b3f54708d1a301d5249419adee19762304678b23d1b81d17ded48bed98
SHA512f876e9afc07120602e4505d4cf8c21006ed7278937c5726c7973efca917c0e17c0b314ca34e574c75a580c57281decd7d67608c16e03d20152e425deb942bee5
-
Filesize
885KB
MD5bcc98ca53a4709254c530db0f25b04dc
SHA1829f25b17521d1961c1e164c6f8b361317391134
SHA2561b33630c36bfac472c4c793db23d830352bdf62e430f7e1f67f46d3d2f9bdfdb
SHA512ecbda7fd441abce241dfd46e905a217c20190d65059bdde15da4edef5dab260fc73bb6b20577feb15e2d26d442d5d92d445d6b7f640b05aaf21208a25ef0dc8a
-
Filesize
2.0MB
MD5f7c83c561cae9fe95cb7f52777755e88
SHA1d8a25aebcc228313441752e3866911fd1d93a5b8
SHA25624197e0d8c37ef5af2c5e5261d4b40c558fa052f5a437eef6d23833a64787df5
SHA5121924e4523c5f1acc82e6e0cccb8d756660a3217e7c5f43df3fe37c6dbeb19b4c3157730eb334760ef08fd6455eea0d928cf0ad182d99ca4db19a4ed19d8b6e37
-
Filesize
661KB
MD5c4464832c04a2748c8424a55a17223e5
SHA1349ae3cbe750f0c49b6b1348421d6fa584dcc202
SHA256bdb559622db83cdb136220f64e75830d7161c7e17522c95a0db9fd5c67e50de5
SHA51225363b895308fe88897d9963155809e4c2e4eb4f5568a27328191ce03dbe2bd6942c80aa9b3febe710aeaf987d748fb8e006c0e60fcf6c52671378fa4bf9c956
-
Filesize
712KB
MD532fd5896057d741f36ca5d9f8ceac26c
SHA1ac4ad4ca949b0584b0867bffb3c3471edcb4146a
SHA256c9159698822b548f3f39c1e03cc426e68d58d221839e3163449e910d22772a28
SHA512a0d2a9deb3b3b785c7d92d4f8122d90482cf7caf6a7b60f99bb70eab89efe1f968d29554f9b98dd262a368d388a7b8262f55569c4b9f5085741cc7e3b2b8701f
-
Filesize
584KB
MD568aaa187d13122683713aca91b18c9c5
SHA17e79a21a681108fa7b630de1b0f1a3d9875022f8
SHA256805cc25fef828f8d6fe1d510c3ded51f6d418b0c4107976e3972fe9e16209f67
SHA51222f874e7576a1b14463aa99a1dab214bfc26dc384a3b9162f11bf5ff1a8efb68cf2953656b1a86f1bde4ec0daf17d593a13e873de75cf2d870eed3f4aa2e4f56
-
Filesize
1.3MB
MD5d95d7135f16eac404f84bfd695f7d6b1
SHA19d27e43bd3aea85c4a0e89ee96b194b5caf0c5f8
SHA25613cd013b370cd8c54cbdded1dd1112f98a2c66cf907469852e84a2a93a49fb4d
SHA512b858013d97d7da23108201be8e9c720007ea4f63281ad4c7d9f2c604a9a131a8b1afd9ffa9926fc701bc5d3bad0cb25ca21a9794624fc9ca87d97f8e493308e4
-
Filesize
772KB
MD55e58fad5ddbe5b2c0534ebdbb7735b81
SHA1a645b2173f29d2f37212872fe8dd8580f6a06d0e
SHA2568989a941707fe6e567a7fe7c30fd1fe5455cc08571d26d4ae54fcc9bb314a108
SHA5129d04e6a2adb1699a16248914cb83141e1702f1e22cae8f90433beba41114ec6e41e820a6347b28c2068263ab028497466c4c75818e5cfb4f6ee760a748f9eb0d
-
Filesize
2.1MB
MD5af91587ba4eda7d5d1dc342ec17c878f
SHA122426068061ca43d8cad9bc64f43910497a02b70
SHA2565e295695fd2d08d210239a10d9a149fd3fa3d8e018ac522069fea6b94bb89f38
SHA512fee8062af9089e5ef9d21e73003a95283f64705767049808583b84f342276309f86428fad27c794029175e19ee2c38175678f77b09d266e017d0fd35216ba012
-
Filesize
1.3MB
MD54d269f48529bb50437e20c1a07087450
SHA189e2c83a9126eed5bd71f009ddf046999d073449
SHA25615d81445b587130fe61027748896ead661945cd5adf55e6157cc511b643c9f0b
SHA512ac71a9d1a697f5b14721e27a52af230fc65aea7fe306e7ec996e500d65a698e87c0be8ea01149acb10d49207913894e901c9f0c2c6ce9067530843b3bf4d4ffc
-
Filesize
877KB
MD5342d331690b610a0cbbd57640449572c
SHA1b314cbb6d9e02ce9bcd528c1bf5bdf3bd61204c1
SHA256c301f24fee645cf1534c8d28c99cdeac71f1490eb1a2e436bbdce89dd2a98919
SHA51289688bd1906766fde4752a41c01e53b5ef9642144409d49898b64017199bd194fe822276667c7a5745b7ab278dd84541978ae0073f3c25573e4e40a315a37e33
-
Filesize
635KB
MD5bee38d1d5f2f535b2adae4d753b7deaa
SHA18c377c0b1ffd04f35d9f51736d7a52c6dc7b0196
SHA25662b427f813f2777004908a4ccfb38b1245470e084998f231caa18e2de4f3b7c8
SHA512fa580c02dfe7142e35575ab6b6f54a440af1f51efdd6de6e3102c78705248c596ceac866ab4f345da8e5edef384d67802946a8bab72c2d01ab1111eb48da82d1