Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
01-06-2024 07:23
Static task
static1
Behavioral task
behavioral1
Sample
927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe
-
Size
3.1MB
-
MD5
927cc80a83578f56d2eb5c5f90767160
-
SHA1
f2e81ec5a316febeaacd073ad1824c62074782c1
-
SHA256
61cf8d2e342099092263d916b77e3d03bee7166736fd815e9f00761ee5631c8e
-
SHA512
1b06c7ac467063a9fed37c52084ee3bb6b3950521e46d686ca5545a6e5391b06b5d3193ce54d51dd649a714815ed8c1304279ab604ec5851e8efe815ea9e9081
-
SSDEEP
98304:fHgNDfXQ1veFPk5FaoCRrgGUDxYRVlbnP9WXW7H6C:mDfgZeVmCJWlYHBVH
Malware Config
Signatures
-
Executes dropped EXE 24 IoCs
Processes:
alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exeVCREDI~1.EXEmsiexec.exepid Process 3700 alg.exe 3812 DiagnosticsHub.StandardCollector.Service.exe 3628 fxssvc.exe 4816 elevation_service.exe 2948 elevation_service.exe 3152 maintenanceservice.exe 3184 msdtc.exe 2644 OSE.EXE 772 PerceptionSimulationService.exe 2172 perfhost.exe 4652 locator.exe 388 SensorDataService.exe 2492 snmptrap.exe 4144 spectrum.exe 5112 ssh-agent.exe 2256 TieringEngineService.exe 412 AgentService.exe 368 vds.exe 3408 vssvc.exe 2940 wbengine.exe 3148 WmiApSrv.exe 3352 SearchIndexer.exe 468 VCREDI~1.EXE 1536 msiexec.exe -
Loads dropped DLL 1 IoCs
Processes:
MsiExec.exepid Process 5972 MsiExec.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exeVCREDI~1.EXEdescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" VCREDI~1.EXE -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc Process File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe -
Drops file in System32 directory 36 IoCs
Processes:
927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exealg.exeDiagnosticsHub.StandardCollector.Service.exemsdtc.exedescription ioc Process File opened for modification C:\Windows\system32\msiexec.exe 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe File opened for modification C:\Windows\system32\spectrum.exe 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe File opened for modification C:\Windows\system32\wbengine.exe 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\SensorDataService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\alg.exe 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\AgentService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe File opened for modification C:\Windows\System32\SensorDataService.exe 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe File opened for modification C:\Windows\System32\snmptrap.exe 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe File opened for modification C:\Windows\system32\vssvc.exe 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\AppVClient.exe 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\msdtc.exe 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe File opened for modification C:\Windows\system32\locator.exe 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe File opened for modification C:\Windows\System32\vds.exe 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\dllhost.exe 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe File opened for modification C:\Windows\system32\AgentService.exe 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\e22c62408beeeac9.bin alg.exe -
Drops file in Program Files directory 64 IoCs
Processes:
927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exealg.exeDiagnosticsHub.StandardCollector.Service.exedescription ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe alg.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe alg.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe alg.exe File opened for modification C:\Program Files\dotnet\dotnet.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe alg.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\7-Zip\7zG.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe -
Drops file in Windows directory 61 IoCs
Processes:
msiexec.exealg.exemsdtc.exe927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exeDiagnosticsHub.StandardCollector.Service.exedescription ioc Process File created C:\Windows\WinSxS\InstallTemp\20240601072338695.0\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd.manifest msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240601072338757.0\mfcm80.dll msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240601072338929.0\mfc80CHS.dll msiexec.exe File opened for modification C:\Windows\WinSxS\InstallTemp\20240601072339179.0 msiexec.exe File opened for modification C:\Windows\WinSxS\InstallTemp\20240601072339117.0 msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSIC593.tmp msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240601072339226.0\8.0.50727.42.policy msiexec.exe File opened for modification C:\Windows\WinSxS\InstallTemp\20240601072338929.0 msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240601072338929.0\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_3415f6d0.manifest msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240601072339226.0\8.0.50727.42.cat msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240601072339242.0\8.0.50727.42.cat msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240601072339195.0\8.0.50727.42.cat msiexec.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240601072338648.0\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_6e805841.manifest msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240601072338757.0\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_dec6ddd2.manifest msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240601072339179.0\8.0.50727.42.cat msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240601072339195.0\8.0.50727.42.policy msiexec.exe File created C:\Windows\Installer\e57bf2d.msi msiexec.exe File opened for modification C:\Windows\WinSxS\InstallTemp\20240601072338757.0 msiexec.exe File opened for modification C:\Windows\WinSxS\InstallTemp\20240601072339148.0 msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240601072338648.0\ATL80.dll msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240601072338929.0\mfc80CHT.dll msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240601072338929.0\mfc80ENU.dll msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240601072338929.0\mfc80JPN.dll msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240601072339242.0\8.0.50727.42.policy msiexec.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Installer\MSIC043.tmp msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240601072338695.0\msvcr80.dll msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240601072338757.0\mfcm80u.dll msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240601072338695.0\msvcm80.dll msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240601072338757.0\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_dec6ddd2.cat msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240601072338757.0\mfc80.dll msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240601072338929.0\mfc80DEU.dll msiexec.exe File opened for modification C:\Windows\WinSxS\InstallTemp\20240601072339242.0 msiexec.exe File created C:\Windows\Installer\SourceHash{A49F249F-0C91-497F-86DF-B2585E8E76B7} msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240601072338648.0\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_6e805841.cat msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240601072339117.0\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0ee63867.manifest msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240601072338695.0\msvcp80.dll msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240601072338929.0\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_3415f6d0.cat msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240601072338929.0\mfc80ESP.dll msiexec.exe File opened for modification C:\Windows\WinSxS\InstallTemp\20240601072338695.0 msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240601072339179.0\8.0.50727.42.policy msiexec.exe File opened for modification C:\Windows\WinSxS\InstallTemp\20240601072339226.0 msiexec.exe File opened for modification C:\Windows\Installer\e57bf29.msi msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240601072338757.0\mfc80u.dll msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240601072339117.0\vcomp.dll msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240601072339148.0\8.0.50727.42.policy msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240601072338929.0\mfc80KOR.dll msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240601072339148.0\8.0.50727.42.cat msiexec.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe File created C:\Windows\WinSxS\InstallTemp\20240601072338929.0\mfc80FRA.dll msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240601072339117.0\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0ee63867.cat msiexec.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe DiagnosticsHub.StandardCollector.Service.exe File created C:\Windows\WinSxS\InstallTemp\20240601072338695.0\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd.cat msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20240601072338929.0\mfc80ITA.dll msiexec.exe File opened for modification C:\Windows\WinSxS\InstallTemp\20240601072338648.0 msiexec.exe File opened for modification C:\Windows\WinSxS\InstallTemp\20240601072339195.0 msiexec.exe File created C:\Windows\Installer\e57bf29.msi msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
SensorDataService.exespectrum.exevssvc.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000d9d47eb9a1a06eb40000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000d9d47eb90000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900d9d47eb9000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dd9d47eb9000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000d9d47eb900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
TieringEngineService.exedescription ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
SearchProtocolHost.exeSearchFilterHost.exemsiexec.exefxssvc.exedescription ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000df74449af4b3da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ed0bdd9af4b3da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b msiexec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000098d39295f4b3da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d03bd09bf4b3da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000037571896f4b3da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" SearchProtocolHost.exe -
Modifies registry class 45 IoCs
Processes:
msiexec.exedescription ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.OpenMP,type="win32-policy",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 2b0078003f0076005d003500320070005d003f004400700030005300440043006c0021007b006300560043005f005200650064006900730074003e00370030002d0054002400210028002a0026004e00650038004d006b0062004900640046007700550000000000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\PackageCode = "FA1F9ADB128EB664EAA9BA3CE244C0B1" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media\5 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media\8 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\PackageName = "vcredist.msi" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media\1 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media\3 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media\4 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media\10 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\AdvertiseFlags = "388" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\DeploymentFlags = "3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\AA5D9C68C00F12943B2F6CA09FE28244\F942F94A19C0F79468FD2B85E5E8677B msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media\11 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.ATL,type="win32",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 2b0078003f0076005d003500320070005d003f004400700030005300440043006c0021007b006300560043005f005200650064006900730074003e00700052005e007000580049006000510075006f00650038004d006b0062004900640046007700550000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media\7 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.MFCLOC,type="win32-policy",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 2b0078003f0076005d003500320070005d003f004400700030005300440043006c0021007b006300560043005f005200650064006900730074003e006600720038005f006c0028006d0032004e004400650038004d006b0062004900640046007700550000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F942F94A19C0F79468FD2B85E5E8677B\VC_Redist msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\ProductName = "Microsoft Visual C++ 2005 Redistributable" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\Version = "134268455" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\Assignment = "1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\InstanceType = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.MFC,type="win32",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 2b0078003f0076005d003500320070005d003f004400700030005300440043006c0021007b006300560043005f005200650064006900730074003e0021004d00210026005a005a006300300025006e00650038004d006b0062004900640046007700550000000000 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\Language = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media\9 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.MFCLOC,type="win32",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 2b0078003f0076005d003500320070005d003f004400700030005300440043006c0021007b006300560043005f005200650064006900730074003e006900450024005b004d00310025002e0064002700650038004d006b0062004900640046007700550000000000 msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.ATL,type="win32-policy",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 2b0078003f0076005d003500320070005d003f004400700030005300440043006c0021007b006300560043005f005200650064006900730074003e0036006b007d00700048004c004800240053004400650038004d006b0062004900640046007700550000000000 msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.CRT,type="win32-policy",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 2b0078003f0076005d003500320070005d003f004400700030005300440043006c0021007b006300560043005f005200650064006900730074003e0061005a004f002c0048002a004b00320060004500650038004d006b0062004900640046007700550000000000 msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.MFC,type="win32-policy",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 2b0078003f0076005d003500320070005d003f004400700030005300440043006c0021007b006300560043005f005200650064006900730074003e003d0024006b00600049004e005d00490038004300650038004d006b0062004900640046007700550000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F942F94A19C0F79468FD2B85E5E8677B\Servicing_Key msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media\DiskPrompt = "[1]" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media\6 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\Clients = 3a0000000000 msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.CRT,type="win32",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 2b0078003f0076005d003500320070005d003f004400700030005300440043006c0021007b006300560043005f005200650064006900730074003e005f006a0030002c0059005d007300210053006f00650038004d006b0062004900640046007700550000000000 msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.OpenMP,type="win32",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 2b0078003f0076005d003500320070005d003f004400700030005300440043006c0021007b006300560043005f005200650064006900730074003e0035006f00300068002c0070004d0076004e003d00650038004d006b0062004900640046007700550000000000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F942F94A19C0F79468FD2B85E5E8677B msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\AuthorizedLUAApp = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\AA5D9C68C00F12943B2F6CA09FE28244 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F942F94A19C0F79468FD2B85E5E8677B\SourceList\Media\2 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]" msiexec.exe -
Suspicious behavior: EnumeratesProcesses 44 IoCs
Processes:
msiexec.exe927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exeDiagnosticsHub.StandardCollector.Service.exepid Process 1536 msiexec.exe 1536 msiexec.exe 3776 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe 3776 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe 3776 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe 3776 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe 3776 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe 3776 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe 3776 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe 3776 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe 3776 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe 3776 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe 3776 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe 3776 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe 3776 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe 3776 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe 3776 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe 3776 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe 3776 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe 3776 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe 3776 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe 3776 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe 3776 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe 3776 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe 3776 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe 3776 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe 3776 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe 3776 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe 3776 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe 3776 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe 3776 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe 3776 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe 3776 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe 3776 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe 3776 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe 3776 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe 3776 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe 3812 DiagnosticsHub.StandardCollector.Service.exe 3812 DiagnosticsHub.StandardCollector.Service.exe 3812 DiagnosticsHub.StandardCollector.Service.exe 3812 DiagnosticsHub.StandardCollector.Service.exe 3812 DiagnosticsHub.StandardCollector.Service.exe 3812 DiagnosticsHub.StandardCollector.Service.exe 3812 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid Process 660 660 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exemsiexec.exemsiexec.exedescription pid Process Token: SeTakeOwnershipPrivilege 3776 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe Token: SeAuditPrivilege 3628 fxssvc.exe Token: SeRestorePrivilege 2256 TieringEngineService.exe Token: SeManageVolumePrivilege 2256 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 412 AgentService.exe Token: SeBackupPrivilege 3408 vssvc.exe Token: SeRestorePrivilege 3408 vssvc.exe Token: SeAuditPrivilege 3408 vssvc.exe Token: SeBackupPrivilege 2940 wbengine.exe Token: SeRestorePrivilege 2940 wbengine.exe Token: SeSecurityPrivilege 2940 wbengine.exe Token: 33 3352 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 3352 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3352 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3352 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3352 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3352 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3352 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3352 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3352 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3352 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3352 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3352 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3352 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3352 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3352 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3352 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3352 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3352 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3352 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3352 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3352 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3352 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3352 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3352 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3352 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3352 SearchIndexer.exe Token: SeShutdownPrivilege 1640 msiexec.exe Token: SeIncreaseQuotaPrivilege 1640 msiexec.exe Token: SeSecurityPrivilege 1536 msiexec.exe Token: SeCreateTokenPrivilege 1640 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1640 msiexec.exe Token: SeLockMemoryPrivilege 1640 msiexec.exe Token: SeIncreaseQuotaPrivilege 1640 msiexec.exe Token: SeMachineAccountPrivilege 1640 msiexec.exe Token: SeTcbPrivilege 1640 msiexec.exe Token: SeSecurityPrivilege 1640 msiexec.exe Token: SeTakeOwnershipPrivilege 1640 msiexec.exe Token: SeLoadDriverPrivilege 1640 msiexec.exe Token: SeSystemProfilePrivilege 1640 msiexec.exe Token: SeSystemtimePrivilege 1640 msiexec.exe Token: SeProfSingleProcessPrivilege 1640 msiexec.exe Token: SeIncBasePriorityPrivilege 1640 msiexec.exe Token: SeCreatePagefilePrivilege 1640 msiexec.exe Token: SeCreatePermanentPrivilege 1640 msiexec.exe Token: SeBackupPrivilege 1640 msiexec.exe Token: SeRestorePrivilege 1640 msiexec.exe Token: SeShutdownPrivilege 1640 msiexec.exe Token: SeDebugPrivilege 1640 msiexec.exe Token: SeAuditPrivilege 1640 msiexec.exe Token: SeSystemEnvironmentPrivilege 1640 msiexec.exe Token: SeChangeNotifyPrivilege 1640 msiexec.exe Token: SeRemoteShutdownPrivilege 1640 msiexec.exe Token: SeUndockPrivilege 1640 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid Process 1640 msiexec.exe 1640 msiexec.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
SearchIndexer.exe927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exeVCREDI~1.EXEmsiexec.exedescription pid Process procid_target PID 3352 wrote to memory of 2240 3352 SearchIndexer.exe 112 PID 3352 wrote to memory of 2240 3352 SearchIndexer.exe 112 PID 3352 wrote to memory of 3244 3352 SearchIndexer.exe 113 PID 3352 wrote to memory of 3244 3352 SearchIndexer.exe 113 PID 3776 wrote to memory of 468 3776 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe 118 PID 3776 wrote to memory of 468 3776 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe 118 PID 3776 wrote to memory of 468 3776 927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe 118 PID 468 wrote to memory of 1640 468 VCREDI~1.EXE 119 PID 468 wrote to memory of 1640 468 VCREDI~1.EXE 119 PID 468 wrote to memory of 1640 468 VCREDI~1.EXE 119 PID 1536 wrote to memory of 1420 1536 msiexec.exe 127 PID 1536 wrote to memory of 1420 1536 msiexec.exe 127 PID 1536 wrote to memory of 5972 1536 msiexec.exe 129 PID 1536 wrote to memory of 5972 1536 msiexec.exe 129 PID 1536 wrote to memory of 5972 1536 msiexec.exe 129 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\927cc80a83578f56d2eb5c5f90767160_NeikiAnalytics.exe"1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3776 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VCREDI~1.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VCREDI~1.EXE2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:468 -
C:\Windows\SysWOW64\msiexec.exemsiexec /i vcredist.msi3⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1640
-
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:3700
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:3812
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:1820
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3628
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4816
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2948
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:3152
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3184
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:2644
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:772
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:2172
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:4652
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:388
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:2492
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4144
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:5112
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:3132
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2256
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:412
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:368
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3408
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2940
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:3148
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3352 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:2240
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:3244
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:1420
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 543D7C2A7E4B0254831571C6CF8048B62⤵
- Loads dropped DLL
PID:5972
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
27KB
MD5d49bbd3ee8e6c626bc6f97160e655ced
SHA11f43dc2fc884477116197fe5f24f7625f8767ca4
SHA256553943d992aed18564e4c8067b6057e68476f4828bbcfd407c9a573882b2c1ff
SHA512e6536c1de5df698d4399009739163af83772c25ceb56421bb4b7dca57406d3cb86afa19be44ad8a6745ad0e665a3959b70312d3a6cd0d7576fb7d902aba936b6
-
Filesize
2.1MB
MD56218605ddab59f2b25913907e76edb10
SHA15255fe4a6c625098d86f63e00e47fb6ebf4930fb
SHA256b2730d7ed9d14b1a95723b99a71f9b5490306dba847178f73e910f5483593f57
SHA512a61268c28b7c29e2c4db1df7398dd2874562cca48059a597d4468aa352e4465fbc6a656d76fbf053156ee563326f6124af75895e0b6f118db8e9b2752c5c5be7
-
Filesize
1.5MB
MD508e0ef1b1ff24f6bc233c40179c24e14
SHA13a39c547632a6b49ad5dd39c3a22adc79d2fae0a
SHA256408347ec899c8c9a954afa3a2e664be8ab6cc8704939ede02b8828feacff2f4f
SHA512bcd32108ac9d635480824f00b08e8731a4069c027d699b021956e002db5ea15f82ebc72c42111137ad67b11cb30f64c6ae6a7cabc835e09f1ed5a2f1f506914f
-
Filesize
1.8MB
MD52a4f78e6f3f95d215155885ff7daf36f
SHA11ebb7560938dbc39ee95a80abd52b23f087715ee
SHA2567d17bf0804b5a7477dc2431e685ebbe6cb00cf46ff9ce65c0b353b52405d0580
SHA512a91f1dd25b4113f1ddad45c882dc66204f394bc0902e1bffdb0c22c4b5537b1a99ec979fbf43c5427e34486cdc759041b6051814cbd76d5a5109f191682c5280
-
Filesize
1.5MB
MD549ba7593ade72422f238225a61a86cac
SHA16e84882b41fb0889add356d369a939835556c35b
SHA256e3a409071920c646cae14ee01a7c999e88c39c86c465d5f7ae03befb8f4bd5d1
SHA51285652e6ea1beaf91bf85e3d46220b0bbe0942b3c39f307eeebe3ae61ac2735b930f60ab5857ad5ece64c4c8d81e74a018a0f56ada15ea804562a66813fc535ff
-
Filesize
1.2MB
MD50ec0d5b7a8e23130ccf2f4a488b2013d
SHA155681b4e16142a865f5ae75f0ec5f56762484fdc
SHA256021cc27e911586444cc99036ce29eeb51504971d9dedad70b0f81430cf4276d7
SHA51200e75afd319a3e134e73b26b43611c47f8d08d4583c10c5666fba1532595d068b87d3bbe466e2cf724469b8222380a4b2faebed7ecedc935fd292b4edc65fe94
-
Filesize
1.3MB
MD54b5acd176409cac3807e5de168fb1ffd
SHA1970964edaf8952bc4fef15906fdf682460ef7595
SHA2560fe94aa06525e562d660cbf9215e119b4e0088ba4f1696b77165e11152016d2b
SHA512d2d54e26ab8363368334d956cbdc55344127bb79a08b76ed07064e8bd3f9f0e8d74d289526cdfdd94ad48fe547d21c2ba2bc5d9ac25cd8d484a009d0ff98a949
-
Filesize
1.5MB
MD5820dafc09c51833f46ee00c0aab9ba73
SHA12932463d66c4efdf55403eaabdb479e071ad5a2f
SHA25662e410a921f72eeb583acc1157be62803e597948611fab91a08b93f981a34fcf
SHA51203199c5a27e30f2f02e481fe6ff081323548c230d150c67ab8407d91511c09afd0adcb840580d0410b8c42ed5e6d33e26b2faaec70bd895132f8015abe2caa9b
-
Filesize
4.6MB
MD564f8071e6335389b11d37d92a887c936
SHA115fe495c5cd3a7ee270876501382d39fc3156924
SHA256add8ea72cb981ebdbce83f9a0224fc6c8e601911864f150226a58df96dbf8177
SHA512b58ac6b05e452b818b28991b2a9400f182463e38072660a6ef603f72b666b43af9ca2680fad34c44af4c206ad0b1c823a7d1c6b6920646ba22be0ef25249c7cd
-
Filesize
1.6MB
MD5411822cd21099bebdeda54c0f19ce9a9
SHA184ee8981cc44d8cd1cc6f296f8e601b9c4bee699
SHA25698ba2fa95f2737abf9ab18d2b6e2c99de510eec507f289f74c47f4dfe2b133a2
SHA512dd30fe0a4dd53b246f6ce16abbacbc2a9faf3b5fc4d65a20bf88031b9b1a59598e7491fadeb8ae4e9160355984ceca3260f075c277dcf0d2a905a8a99351f113
-
Filesize
24.0MB
MD53a6937c8f23d0f6ccebb22599c51236c
SHA16519204b62a26a08b4cc5833f2754d0a1808035b
SHA25643f1c72f9104adedafb858116c728e0b2350d21d69e08f534d48b442312b0fb9
SHA5122175d64f8c9d7a972414a5ee93add9dc66cc2455046cca5a44c9e7d825eeabf6cb9b0598d86e43fceb2aa4d506137b24e8f6ded3801d148ed39d5707ea01334e
-
Filesize
2.7MB
MD50c116ee9a29c29af65b402ee4a09ab7c
SHA1e215ad7f16daf276862b89441192104adbe8d6af
SHA256999e9c6e28c6b0ec1f18a981961a577ba80737955a2f46df71deef0e6c24d909
SHA51261abad50d2163bc3edb83bb334745f060016369a341b6d53630d040678054611694301bbdf9bcdf25c074bfaa075b22d4ee145cbea8e5b831f470d659c92ee89
-
Filesize
1.1MB
MD5a252e4da7865bafed213d63edc442671
SHA10de4e7708d63ab837d98116bdfa47408ed415b2a
SHA2560067a78d05b306ac5f7e385902379d535db7421b4bb7489dfcf8ef614efdb928
SHA5120b2ea4db2244033aaef9b56049e26503f28ee85e8752d5ace4a831218b527f306bc76dc7da873ad979864d4e463fe9cc521555fa4e2c2f76ad872ec124e009d1
-
Filesize
1.5MB
MD564a844871552fd753b62900d63d6235d
SHA125190f61ec16857eee93a9123e8999d042b8f26f
SHA25618f59623221a7335078ffbd7586e04be05398facd209a63fd95d9df07c62a002
SHA512d025e8655d2852b5dae35253345019214ba4e296db4afb7dc903cdc63c6bc331b8ca0e7ccf4a91c0571ead4ea066c3a2e1f2a5b3fbd896bac238b57e8f27be01
-
Filesize
1.3MB
MD555c09c1080ae0529fbfc725d74dac7b5
SHA1b83cba895a496ecf16b792238ff50c74a39de90d
SHA25674a7ec5f07e091b55ea29580083fcbf925affa0174b45f5150f64ffe142a11e9
SHA5120ab1275a772fa2c10dda28366b251ea0f0c8c1681091e1311a1a1d17f58c2f61b4d0aa75665183b4fed2b43a5d5f63c81c5c66d9ff2a8691db2ed57c38bbc1bd
-
Filesize
5.4MB
MD5d25681d1a7df61cbe416efaac9d9cae2
SHA1e4aed88c207566450d92e16a10b5200b450182d2
SHA256eb9d430a2ab57a801d59cc2e01254b131775cd0bfad0dc59bcdae11652a99a2d
SHA51239707f1350459e28d71e0e2d3b57b2622cee76ae07763d1b1b2f64d7ea4d3cfa80070994922d6ee2bb2645fca7fea4cce33c81be3ab49dde11c3f92853d4ae7e
-
Filesize
5.4MB
MD550b9cd0a959b473eb7453030b6e4b8d3
SHA18c5e5b2ad3ecf4c42d4aca30362b72f21b20ca64
SHA256da6fb2f08fefb4e5b1ab6dc230475962495483854c927dba4fe26a3ff045b6bf
SHA512123da7997e9c75adc3153b16cd6814a89c431c38ecf3cf801c12e6a85d5dd26f70953bb224ba27990406c90ec570bdf63d04e4bf9c9fe7481332ef9f13643020
-
Filesize
2.0MB
MD57b9c76d09b5093756841642e00b2febd
SHA17ca118202b722bf31616bbc478d49e9435f9fa0a
SHA256cad234c2aa08c1e53114aa2e42f8dec85fd8f490e899bd444b56b3ad8f13f1cd
SHA512a6477f50a5051afea5aa57ccc2e6fd7e335a907fc299fce76253da58ac41bebecacd2f77be953e453efc5f277c12331deb0b0739b1d01d3b162ead7d03a661c8
-
Filesize
2.2MB
MD52dc2507f6ef21ded3318d95cb02a334a
SHA1a572c83a10f1c4385dbf934b1b15ec452e8edcb3
SHA2567a1cf430164f347031274fc454d928ff2fdf6626ff6f00679b58221234c2d61e
SHA512e172778290a2cad5676f084fbb8b994ef2e0df51212364922a15ec94dae2709e4907dbe2c080bb78da34da343039ccb5c793f96a23e93b8416f3dcd911a665ea
-
Filesize
1.8MB
MD53071669443bb922e4c341877220ed559
SHA1802b677240de79b8e12a33d770816874f075547a
SHA256520124a7faf72dec028bf7dcd7c87e8fe814dcb82e0331dfc757e492564bebcd
SHA512a4a3fd70e7b882c3e0f7b4aa24403bca0992cb3028c539a9902c7845e79697986228634172e0857d176e462f7bb05d676aaf352b495d5505042fac9990a333c3
-
Filesize
1.7MB
MD5dbd4d29f5390540651fdc8413339cd68
SHA1537fbc22627e2eaee40d052c2ec760c1035681a6
SHA256a9ea2df5580f96d343db9fcf0ca171f8d69d4ff1147a2ce88a242e5b96af42ac
SHA5129c0ae82707a388f9482091ef44f5f0843623f4795ae18251faa009afe713906232bd20fa7974683754d2a565249b79ab3558039811efa6eff52fc53b294bf4af
-
Filesize
1.3MB
MD5781619296f5ba379db641da87a3a5441
SHA16c8175f8bec122ed4fd34827144efa86350b54e1
SHA2565107da6db2b4d6cabc01b201c2c23504b500128dc108e11b5a8f8c5e10de7e2f
SHA512878b854aab8efb15f529fb892e54896f6611c2b207a6a9879dbce8d874b29a43d871748594fb74d7ed0d92f1f80fbad699e52e71d3d87064b45e4b6ad85aab69
-
Filesize
1.3MB
MD543822688d20bea8182bbccdb0f9bd5e2
SHA175827465b7547bf60d25900c8192749e04650891
SHA25643fec9682f59f73b337f23ac8895b805f9106b0a4c375363f8ec758cb86c5372
SHA512121b9164cb40fd935d6f93c27b18cf41c10e586622a26bdd3103877e4ae1782cde10908eae4ed0ed28b97a3f341290f26e90677ad2b572f9e49c6d75f421f26f
-
Filesize
1.3MB
MD56d92766bebcae43b0df3eb72b6ad6930
SHA1bd71dcf194e221482712b901d458f1534a24e10f
SHA25632983da67d162ed125406d1c9186b8bb2f5f3647da4d88055e9f5359ed639117
SHA51284c419c113bb4d38b309135fb66e9fcddb897bc0832fb48a57465cbd05e2bf3c90c36e621deec4ff9863fbd5313e3ed316fef7e3ac4a7d55d284a7a72c63ceff
-
Filesize
1.3MB
MD5095ed84174caa681a7f877fe35ec297c
SHA134898b3c259a31602c323b1c851bda6893429025
SHA2564145cbb354b1a6c9f4c23b0cc37688c91ab32683e29297dd03e33ebaf0018b7c
SHA512b388c2384a713be03e054df16e32eb61f37b738828ba45270b2d6660a92e96d69ae346a1a4887ed4db95355848f6ac99173b0ec7f14a14b17ad8aa15c7758216
-
Filesize
1.3MB
MD587062dd1941d95c78b0071727d400b69
SHA1a70d345dd73eac4d24c75e803640d52370dec8f1
SHA25630edcca0167051903b187f0259cd19677e5310f761a9a048df2acc7ac8b2f454
SHA5128602a1b5dba427e46e27fab293a1b2d0b2ee858f868f64198c9682a97960a80fdcf5cc6bca3cde5e9fb3b0b2fa3d877f89c6b474832baeee9ff7254741d0f834
-
Filesize
1.3MB
MD5e3545e7d045540f17324f4f0320f723d
SHA12cec13393735aea844e9628bd47db7d52cb06d55
SHA256fd9c18b4d1982866d35096ff8b0488d62e98aa8366edd18ef361d1d6e4075222
SHA5127cd1bff27ae0ff33313fdde76c5203b2286b8f5c2f4406dbd564108e7f8b7174a96ccbb970cc4a66e9662ad634ff546e9555f065767aaad8999b582e1465bf0c
-
Filesize
1.3MB
MD57d3c64b31d9b7c38926fe81779a06a07
SHA1f113e355fb2825320759b4c20d648d2fb7942e6c
SHA256b999ced9e4e38bbe00b21d3647c8d4912c4cce8d6193498b1b7156d7c2911ee3
SHA512d5b3a2356b38e66ec6e598063751468e3fa4b3c833bb981aa060d84d8c6f14be881438c5144784aff65e168ef5b4e0b7a02db674a5e45dd3f3d13471c5c7a46b
-
Filesize
1.5MB
MD58ccad0d838d1ac02cac682585c35d4a0
SHA1c8a8d7b5f2b8a0299855e7d662c5499566abcdc6
SHA256893458570076d85b4ab774f57a9dccb1e2cbdd0cc29ce2fe576aceedff4136d5
SHA512ac3d0f15148cc28c3ce17dd8a45e42a75549741f31463a18c68c9f4f53077bd29d7aeb53434b41d54e9cf870a461f5b136cdcc4c22ed270ea940801a1061605b
-
Filesize
1.4MB
MD5c49fad051c590cc2002ad9ad1ef65d84
SHA16d2d9e15958ef9120a14df87d55fd809728dc739
SHA256a0dd750b8229a32c029c486d34187967e22a2daadb0894970dd1ba1df960c62a
SHA512d545730411b38ab381d68947ef11ba43d98cf965c3be7650b340e5894689fdb5b1f2a42f50dbe88a5ed53845b23b27aa4b12694bb0e2bce40314f26c171b889f
-
Filesize
2.5MB
MD5f031c0d2b460209b47b91c46a3d202fe
SHA195040f80b0d203e1abaec4e06e0ec0e01c507d03
SHA256492826e1aacd984a00dd67a438386e4de883cc923cb1f25e265525a4cf70ed7b
SHA51218840649d19c5310d274bac69010514872a554bb5ecadb4af5fa3667ad1a6bf9d644b31393edbc1b60ace6eff907c79c078f8213948cf90fa4d1529c68ccc629
-
Filesize
245KB
MD500d3bf1c1e82eee48fdf3361dd860e19
SHA1b2f45cd2791ce178b45b06a95e7f58f298512d6d
SHA256f2ce7873a39f7f8a2a2cd888a6b2f0a25f62bb3c475ee73cfe54988982ef65de
SHA512cf5c06c4052b103d0a339d5535db2d8a9f069e928ee8c985f03e321b7e1977ff2f2200ad15671d6e93b9c706bea7586cd3df11fdbaaaf8c63a0ea4291431bca5
-
Filesize
2.4MB
MD5b31b234cb0f534069ba32aaaeacd7b2d
SHA1d6f90459f8bdbf7e75cc85affe9b137dc5e304e2
SHA256b5a652a1025f194f59e1349a1f26709d7ff7760067439b2d52d988a55d9340f0
SHA512138cb14f6018d3bddd78012c5b36a591fe70d1b2b7f9d3774230639302401be57e1a4d6098c66a83c47e67138ac6dbe79f64548e4c317bb804a4e9a3ffdf94ea
-
Filesize
24KB
MD57bfa56d222ecc4267e10c01462c6d0d9
SHA19b3236a45673ff3bb89df3e690784b673ae02038
SHA2566eeb255e1d5333a7b4f1b62e36afa1bea5cfd6c7e32058bb3a9efebc4d9f2ad6
SHA51210cec6bfd08a8b7cac1acbc3627cb014554ba71f44eb4bfe5b1471b81d6d292fd83a352d553af0de75fc1668a1f13d7f6f6c7bf1c6524117f363a3a7fc9b09e9
-
Filesize
1.3MB
MD5fc52b955558c4d5b344c59f2619e08f4
SHA13c432db633c72bf68d24c21f4a001ec9fa3a8a84
SHA2564f822bb4ca0cfaae8d0144193f62c50c5d40a5514355dd9e605577c84d9b356e
SHA5126c0ea1b26214b001e52c390cdfaf992237e18796fcf5398c350c974715788ca597c3be2f25791baedda69ebb554dfa21beaafe2071f383266c4850945cc1741f
-
Filesize
1.7MB
MD5110add1f34f47e4214e5671e5035ec86
SHA109cff246dee91dff1f89204b5921c79cc3b8fee6
SHA256153270b34806e261cf039ec95c13c513c3951a68c2f71578b95f3f93b3ea9f5e
SHA5124674a718f54e9a7cd3b297b81646879a5ddbff9a52b6aa66c123d8e1def0fd58320deb2f4f898678817f4ad605d8bcf953b7f6bc8fa68fe280a3dbd78216957b
-
Filesize
1.3MB
MD527bfefbe7e186df4ea7c60f399420b77
SHA1558d79a06da9cf3f8e84b1ad9b53e1cb9c1c6ec6
SHA256426da96bc5f5389e885c75931dff7ab742ef390a062de408051cd9f33b37b072
SHA512e97e6432d4ec0aa3dc86ec61b774560ca287929520e4fcf948e945001b2dc95c22a1400e70ac3d646328b7f19a5a00e3aa6ff592e6eace92ebcf4e58fe8db587
-
Filesize
1.2MB
MD57f1480e397ba9426b702037c4a871316
SHA11c3772b7c34b4003a57f718bbf53400422007bb0
SHA256d561c812ff8d97587b4d089ba1eba92c6aa88dcee7399f865287b4042b78d1c3
SHA512ad5154fd540b26986812467f7f42fb6ab70ad7cb5701c4cc1d063e76306bf1c78075dcb1b08098793846daa96e771303ea6698e48001b54824895974d838d5d5
-
Filesize
1.2MB
MD586eb970d76829d5d63467d67c6765f34
SHA1eab37b5e0a372b8be82718c3910037fafe61afbe
SHA25622d0b10be8b6c12d065bb2ded9c81520eac912d2569d1342a24b57f427b1b337
SHA512091c49f4bf661e36741002bf63e6b3bf4183477256aa4ecabef591b1b767ce5eced859e651fc9c6266061f1e47f1b4189666dc9d36ea7628211462b968a7e8e3
-
Filesize
1.6MB
MD5501be3f29d5342e86a7463f6a41458f9
SHA18c3773e0fd077fb30eff67c906b65bf20b2c3a29
SHA256c2ece4c5cf6a7053ee35255a5f85e1484d458092e667cfba43c2ac50b3c8f21e
SHA512a63a3da08541a5f028eff0aea5740090a60a66d3971f7861c887ef2840ddc9b44d6de1903be58380b671d9baeb2b15040f36aad11864f7ea9aff70633b474332
-
Filesize
1.3MB
MD580204613f1d887fc53da1bb5b5216167
SHA14c9549c3da65225b031327eedd39d2c87ee13e1a
SHA2566ec72815c1a2b565159cdf03d6170a0c67031210d6fff98782db63d4e4c7b87a
SHA512247847b18ec451dd6a73ef9aeb7a4de51d6491cc247cead2a43c9677c934be7a3603b3e15b15ebe3a8633fb251b634776f3dd841b55768888e845186a5c7d501
-
Filesize
1.4MB
MD52154c1aed302309a935666e5c16f863e
SHA1d4858366f515a3f43b77609c51fd4401e228c438
SHA256fcdcd195ca2b205740ce79008c176335dd20a04de11a6eb25f84d3ef33a9aa88
SHA512ddab5b79508c4f26eeeb6507ab50e4ae7819e2e4a5fd2a3c3e3ad75044504d09a5ecf4742606274c2a18b06af681d1af3143496e9e98cef54f49559f06fe0b5f
-
Filesize
1.8MB
MD50483aa7cb6b000497ba01c3c1cea0c32
SHA1662f5a90012997394a1e9e69dfce98441c4c0028
SHA256d6cc9eae0c51c7de42f9e999e994a46a9863b7679c2c1ee8ccc7b541f87b4f5c
SHA512e9b1e2ec2653834b8b3de68b799df33cab679f48b2efc037be94a3948b73ca20e996a2daf1311f5ac6d9be5342aa567466d132bb17357d18d685e6520e255acc
-
Filesize
1.4MB
MD5a4f69c048c16657881b5f6d69a4aaabb
SHA19d7e34a12e2221f3b9778eaeaf5e23dbec023619
SHA2563c730bf6b49519d22e797b8426d193562beb38954ddc21637e625af48fc0d873
SHA5120f091cef632688a0e852366b17e33a037734bb621723b3a41c7f1aadead401c8ba0a19721ed6432f54156838759ef0f18af14b8ebed67b43b1527a07bce6e75d
-
Filesize
1.5MB
MD599597242e2a2733708fe0b817e9306db
SHA1598072709b04637b05f94c61a2b9e65b566fbe1f
SHA2565350cf096caf6c161416f491844cdd1e3d8045b2c66f370b5512e674f106c5b9
SHA51297efe025352f620792ad4e4b9c4054d257ce1c097dadaca1292ffd860da9fac5d1d8e272cdee552546d590790275dc4b81d2cfd5b85c338d078f4c9c15bd860d
-
Filesize
2.0MB
MD559fcaff0923a97c55c208fb746bb59d3
SHA1a34362ff3a8fd01e58e3bfe120f43291a11c8585
SHA25612affd654665aed8ce808f4e5ab03844b4d8490c148a784783e8c428283c6e9b
SHA512bfac58afa14071d39d8f92aab9975973879789b897d79313b1f12589c6843ddca880b393d2a5de83d6169fc3851b49f6b78b92f19b44ad366c3c79b296fffdce
-
Filesize
1.3MB
MD57a3ab983d29a748df58f9b4491be3abc
SHA1b2026c0af1b46ea6a0747ee831281adee647c9dc
SHA2562fd3252f5f451c00ca2bcf7fdf3f22ae9ec43e48aad6fe3f3c5834c5c25210a4
SHA5123aa434a8f182be32eb49054d3aa9f8c09154edda0478c7a012aa9997730c94d44db9c042574b3260516a7a570023cd11ea026cffe260a404f5066ba335967ce1
-
Filesize
1.4MB
MD54375517efc2cc0a87dd547289bd9e14c
SHA1ecde42e0d41e3cdc6a931368d366ede9205a72ee
SHA256893fa8fe2b2b8899dfdb5d4facdef042f9eba52414c7c1b1ce017eed67b5f0bd
SHA512a5f45dc4ed04dafad600b654e89b5a844c5939d57c83810dd7ba29218f759094193d905900492b6419e585cff3549d95f962cb7189eabe61ac5badaab0309f19
-
Filesize
1.3MB
MD597a8e5f55376dbdebe70758a0a0efcab
SHA17a27d5033d5027e19fd8d3415418baaaae1998fe
SHA25612ee2722002ee78e8b4c06254a7a69fe7e09da98f4e82f9ab63eee753141a284
SHA5124ff1ffb3686d3359dc89455eff49c927cc02745a540168329806a9ca8dbd244e8af75b94a88d982a59ffb0b6c0310a2aa41607b2f1336b59bbb7b4604fe935f7
-
Filesize
1.3MB
MD5689d0c8da936763c151a7d4f4c0bd8b6
SHA1d6fc4dc0cd05b5614f76ea2cfc484ef8c7e39591
SHA2566d48576e084e0712aeceb19a118bbb2faf103fd8e43d3e6686a0ab744b44c690
SHA512df17ff31721419619477e3b8cce732ef8d7edde310a55be6816bd9b5645c53250a6b50ed8eb52a354910f5dc19b81ff708bcefd3242135a50211585399c4aaa9
-
Filesize
1.3MB
MD51cab416b58cd4c36a69fc4e6ff061511
SHA1ba47a019ab19fb63761ae963c0d6623568ee48c0
SHA2560a2a8d09cab24e5c06d0f98d5e64639a0cb8728fda20552c3f19bd4068b3ed85
SHA512512016dfad59cdec2a9fbeedbccca198819b53ce73ed3e5a1c6d763564cd02b9efdf3e79961f195c40ceaa0c46bab1dde0fc3d66ce1b1bb1d5ec8579a9411f51
-
Filesize
1.4MB
MD57e99f2de80b50dcf6ff788c9578dafb3
SHA1bd23955beab7a900efd33e845c7bbca540e8e91e
SHA2561558b3495235560c42f718f736643801bd92e53fedf5d90b146338e992222800
SHA512dd3de3e110f083062c9ad080b991141c05a041576bc5d0d2b0d86a758ff2840853e12321086eebe9253f672745690574a25c419548004f48ffb3a564976533d5
-
Filesize
2.1MB
MD5edf13b041f3ba6cde2910eadf70b74bd
SHA1021a839258f9efaf519870de786a92b670e4a13e
SHA25658aa0e60d6fb47a267ce5d611566e24c9b3679bb9976b8a8a5fc0b3e687ea005
SHA512089a5f20b16dbf93d2b627332ccaf9ff07b8b2fabf69dcfb5b2c70a09c6482f8f39445be54bc1d1385f2c021f4e935e186dd5d933e867c0e472b55a24a854fd1
-
Filesize
1.3MB
MD59e0d194aca8d19dc303862376f746afc
SHA1d67c0ad48ecb9a5bb9a90ba152647c814ab8ab2b
SHA256e13b0de28c1413e9e3704d6ec447028d51d2b00b5c2f9c40237fc51709e4074f
SHA512d478f7b63d1ab42b629cad19c9ee891512b6f0bcfd0d4792fea337d0a70230fb5d2d44510c6b1d5213004fe7e369bc3f23454b776d00cd3b34b5f1fa1b0a885e
-
Filesize
1.5MB
MD5388735b1dc524c3b9739446251101409
SHA1c9527e7e3c706bf5ad5324a75a18a3d0dc8a941a
SHA2567c87706c82ab69361ba4e0b726e33645465c248fb0a5910ee8726417d5d6f5d4
SHA512bbd2c31a23131f91c8ba42bc1141aeaf44c39fd7846e1f89c58010774763c6ab0dd899874e96b628a45f5353e9a15358465fc765067dba1c77bf32bf586b192c
-
Filesize
23.7MB
MD56353610e98c5099f1193db37a0b9909d
SHA166f2d34e03902d2f8128343ac08c6be25b8b047d
SHA2565f4282ed3b93a2c63efda0a69a33452080d32fe01a04735508b95bfb956bd610
SHA5125d5cf985ad6b582c45ba9b743d260359b3b45e60bea3b0d8d443947b1ee8433f73bd7f243737b25e9622e5a11a6d72f8062cfc7fe8ca22a4922db443bcd00ace
-
\??\Volume{b97ed4d9-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{06d094b3-5ff9-44a2-b2ff-984c544db6b5}_OnDiskSnapshotProp
Filesize6KB
MD5ceea24f92ea6e6ca04c27008dd84b972
SHA1eb15feeb019f0f6a47224521ab12e85815481b43
SHA25678c5c55375441708fa5e30006c9659cacbc33ca808f513605115e8f5136e6222
SHA512a0b5d16bcb7d2613788666ca940bfd502731bb75185b786ff3b29713fb3e4ed91d284b02f82a3aab0ac239d047d711f39e9b2580e7176a9ef9b32df17d59ebad