Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
03/04/2024, 10:18
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe
Resource
win7-20231129-en
General
-
Target
2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe
-
Size
24.3MB
-
MD5
cd7b199f57142ddaeca9c24b0819df6d
-
SHA1
4dcea2edabad051a54cbe3dcb7f8992e70c4fc8d
-
SHA256
6e6d1ecd26a0273765e2eabb1f4164cd2d3c61c2ee4a424bed8ea09807f031fd
-
SHA512
ef6d21fc1fda9aaa3af415e0fb9313c69e9fcf57f5a0555da10f97b58966c7a28b75cdbfa1367e086df9457fac233034706395208191fe4c931925320e7a713d
-
SSDEEP
196608:7P0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1Op3H2SAmGcWqnlv018iP:7PboGX8a/jWWu3cI2D/cWcls1J
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 480 Process not Found 2388 alg.exe 2596 aspnet_state.exe 2660 mscorsvw.exe 2572 mscorsvw.exe 2508 mscorsvw.exe 1620 mscorsvw.exe 808 ehRecvr.exe 2236 ehsched.exe 2044 elevation_service.exe 2068 IEEtwCollector.exe 1992 GROOVE.EXE 2224 maintenanceservice.exe 2308 mscorsvw.exe 1616 msdtc.exe 2732 msiexec.exe 2468 OSE.EXE 1364 OSPPSVC.EXE 2268 perfhost.exe 1076 mscorsvw.exe 540 locator.exe 2276 snmptrap.exe 1592 mscorsvw.exe 2992 vds.exe 2624 vssvc.exe 1180 wbengine.exe 692 WmiApSrv.exe 324 wmpnetwk.exe 2192 SearchIndexer.exe 1540 mscorsvw.exe 1532 mscorsvw.exe 2124 mscorsvw.exe 384 mscorsvw.exe 2580 mscorsvw.exe 2888 mscorsvw.exe 1532 mscorsvw.exe 1716 mscorsvw.exe 112 mscorsvw.exe 2584 mscorsvw.exe 792 mscorsvw.exe 1968 mscorsvw.exe 1700 mscorsvw.exe 1540 mscorsvw.exe 792 mscorsvw.exe 2812 mscorsvw.exe 2616 mscorsvw.exe 2576 mscorsvw.exe 2124 mscorsvw.exe 1724 mscorsvw.exe 2228 mscorsvw.exe 1300 mscorsvw.exe 2152 dllhost.exe 948 mscorsvw.exe 1500 mscorsvw.exe 2972 mscorsvw.exe 3004 mscorsvw.exe 748 mscorsvw.exe 2968 mscorsvw.exe 2656 mscorsvw.exe 332 mscorsvw.exe 2564 mscorsvw.exe 2724 mscorsvw.exe 1580 mscorsvw.exe 2696 mscorsvw.exe -
Loads dropped DLL 37 IoCs
pid Process 480 Process not Found 480 Process not Found 480 Process not Found 480 Process not Found 480 Process not Found 480 Process not Found 480 Process not Found 2732 msiexec.exe 480 Process not Found 480 Process not Found 480 Process not Found 480 Process not Found 480 Process not Found 752 Process not Found 480 Process not Found 748 mscorsvw.exe 748 mscorsvw.exe 2656 mscorsvw.exe 2656 mscorsvw.exe 2564 mscorsvw.exe 2564 mscorsvw.exe 1580 mscorsvw.exe 1580 mscorsvw.exe 1148 mscorsvw.exe 1148 mscorsvw.exe 808 mscorsvw.exe 808 mscorsvw.exe 940 mscorsvw.exe 940 mscorsvw.exe 2104 mscorsvw.exe 2104 mscorsvw.exe 2664 mscorsvw.exe 2664 mscorsvw.exe 1220 mscorsvw.exe 1220 mscorsvw.exe 2400 mscorsvw.exe 2400 mscorsvw.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 20 IoCs
description ioc Process File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\System32\alg.exe 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe File opened for modification C:\Windows\System32\vds.exe 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\IEEtwCollector.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat GROOVE.EXE File opened for modification C:\Windows\system32\msiexec.exe 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\e17e839056fe8faa.bin alg.exe File opened for modification C:\Windows\system32\IEEtwCollector.exe 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\locator.exe 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7zG.exe 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe alg.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log maintenanceservice.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jre7\bin\tnameserv.exe 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jre7\bin\javacpl.exe 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jre7\bin\jp2launcher.exe 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jre7\bin\policytool.exe 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\klist.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe alg.exe File opened for modification C:\Program Files\7-Zip\7z.exe 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java.exe 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{7AE638D3-C69D-42D5-9B63-3C52AA32D796}\chrome_installer.exe 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe alg.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\ehome\ehsched.exe 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP21F2.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index133.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat mscorsvw.exe File opened for modification C:\Windows\ehome\ehRecvr.exe 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe File created C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{CCC9250F-B82B-4387-9F2D-A47D5F5ADEBE}.crmlog dllhost.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe File opened for modification C:\Windows\ehome\ehsched.exe alg.exe File created C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe File opened for modification C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{CCC9250F-B82B-4387-9F2D-A47D5F5ADEBE}.crmlog dllhost.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP4885.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPFAC3.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe alg.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1600.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP7FC.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat mscorsvw.exe File opened for modification C:\Windows\ehome\ehRecvr.exe alg.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP52B2.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll mscorsvw.exe -
Modifies data under HKEY_USERS 62 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft wmpnetwk.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer wmpnetwk.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft ehRecvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7" ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{C4CA8F0B-672F-414F-BEC6-A81B9DCE47B0} wmpnetwk.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{45670FA8-ED97-4F44-BC93-305082590BFB} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000406a688ab085da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a07512a2b085da01 SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health wmpnetwk.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\windows journal\journal.exe,-62005 = "Tablet PC" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings GROOVE.EXE Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software wmpnetwk.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform OSPPSVC.EXE Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\xpsrchvw.exe,-106 = "XPS Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 SearchIndexer.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200005 = "Websites for United States" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-304 = "Public Recorded TV" SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\ wmpnetwk.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E} {0000013A-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000e0c833a2b085da01 SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-312 = "Sample Media" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit ehRecvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{C4CA8F0B-672F-414F-BEC6-A81B9DCE47B0} wmpnetwk.exe Key created \REGISTRY\USER\.DEFAULT\Software ehRecvr.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000 OSPPSVC.EXE Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000" ehRec.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
pid Process 2012 ehRec.exe 2368 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe 2368 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe 2368 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe 2368 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe 2368 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe 2368 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe 2368 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe 2368 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe 2368 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe 2368 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe 2368 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe 2368 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe 2368 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe 2368 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe 2368 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe 2368 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe 2368 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe 2368 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe 2368 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe 2368 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe 2368 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe 2368 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe 2368 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe 2368 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe 2368 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 2368 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe Token: SeShutdownPrivilege 2508 mscorsvw.exe Token: SeShutdownPrivilege 1620 mscorsvw.exe Token: SeShutdownPrivilege 2508 mscorsvw.exe Token: SeShutdownPrivilege 1620 mscorsvw.exe Token: 33 612 EhTray.exe Token: SeIncBasePriorityPrivilege 612 EhTray.exe Token: SeShutdownPrivilege 2508 mscorsvw.exe Token: SeShutdownPrivilege 2508 mscorsvw.exe Token: SeShutdownPrivilege 1620 mscorsvw.exe Token: SeShutdownPrivilege 1620 mscorsvw.exe Token: SeDebugPrivilege 2012 ehRec.exe Token: SeRestorePrivilege 2732 msiexec.exe Token: SeTakeOwnershipPrivilege 2732 msiexec.exe Token: SeSecurityPrivilege 2732 msiexec.exe Token: 33 612 EhTray.exe Token: SeIncBasePriorityPrivilege 612 EhTray.exe Token: SeBackupPrivilege 2624 vssvc.exe Token: SeRestorePrivilege 2624 vssvc.exe Token: SeAuditPrivilege 2624 vssvc.exe Token: SeBackupPrivilege 1180 wbengine.exe Token: SeRestorePrivilege 1180 wbengine.exe Token: SeSecurityPrivilege 1180 wbengine.exe Token: SeManageVolumePrivilege 2192 SearchIndexer.exe Token: 33 2192 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 2192 SearchIndexer.exe Token: 33 324 wmpnetwk.exe Token: SeIncBasePriorityPrivilege 324 wmpnetwk.exe Token: SeDebugPrivilege 2368 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe Token: SeDebugPrivilege 2368 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe Token: SeDebugPrivilege 2368 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe Token: SeDebugPrivilege 2368 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe Token: SeDebugPrivilege 2368 2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe Token: SeShutdownPrivilege 2508 mscorsvw.exe Token: SeShutdownPrivilege 1620 mscorsvw.exe Token: SeDebugPrivilege 2388 alg.exe Token: SeShutdownPrivilege 2508 mscorsvw.exe Token: SeShutdownPrivilege 1620 mscorsvw.exe Token: SeShutdownPrivilege 2508 mscorsvw.exe Token: SeShutdownPrivilege 2508 mscorsvw.exe Token: SeShutdownPrivilege 2508 mscorsvw.exe Token: SeShutdownPrivilege 2508 mscorsvw.exe Token: SeShutdownPrivilege 1620 mscorsvw.exe Token: SeShutdownPrivilege 2508 mscorsvw.exe Token: SeShutdownPrivilege 1620 mscorsvw.exe Token: SeShutdownPrivilege 1620 mscorsvw.exe Token: SeShutdownPrivilege 1620 mscorsvw.exe Token: SeShutdownPrivilege 2508 mscorsvw.exe Token: SeShutdownPrivilege 2508 mscorsvw.exe Token: SeShutdownPrivilege 1620 mscorsvw.exe Token: SeShutdownPrivilege 2508 mscorsvw.exe Token: SeShutdownPrivilege 1620 mscorsvw.exe Token: SeShutdownPrivilege 2508 mscorsvw.exe Token: SeShutdownPrivilege 1620 mscorsvw.exe Token: SeShutdownPrivilege 2508 mscorsvw.exe Token: SeShutdownPrivilege 1620 mscorsvw.exe Token: SeShutdownPrivilege 2508 mscorsvw.exe Token: SeShutdownPrivilege 1620 mscorsvw.exe Token: SeShutdownPrivilege 2508 mscorsvw.exe Token: SeShutdownPrivilege 1620 mscorsvw.exe Token: SeShutdownPrivilege 2508 mscorsvw.exe Token: SeShutdownPrivilege 1620 mscorsvw.exe Token: SeShutdownPrivilege 2508 mscorsvw.exe Token: SeShutdownPrivilege 1620 mscorsvw.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 612 EhTray.exe 612 EhTray.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 612 EhTray.exe 612 EhTray.exe -
Suspicious use of SetWindowsHookEx 14 IoCs
pid Process 2940 SearchProtocolHost.exe 2940 SearchProtocolHost.exe 2940 SearchProtocolHost.exe 2940 SearchProtocolHost.exe 2940 SearchProtocolHost.exe 1076 SearchProtocolHost.exe 1076 SearchProtocolHost.exe 1076 SearchProtocolHost.exe 1076 SearchProtocolHost.exe 1076 SearchProtocolHost.exe 1076 SearchProtocolHost.exe 1076 SearchProtocolHost.exe 1076 SearchProtocolHost.exe 1076 SearchProtocolHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2508 wrote to memory of 2308 2508 mscorsvw.exe 43 PID 2508 wrote to memory of 2308 2508 mscorsvw.exe 43 PID 2508 wrote to memory of 2308 2508 mscorsvw.exe 43 PID 2508 wrote to memory of 2308 2508 mscorsvw.exe 43 PID 2508 wrote to memory of 1076 2508 mscorsvw.exe 49 PID 2508 wrote to memory of 1076 2508 mscorsvw.exe 49 PID 2508 wrote to memory of 1076 2508 mscorsvw.exe 49 PID 2508 wrote to memory of 1076 2508 mscorsvw.exe 49 PID 2508 wrote to memory of 1592 2508 mscorsvw.exe 52 PID 2508 wrote to memory of 1592 2508 mscorsvw.exe 52 PID 2508 wrote to memory of 1592 2508 mscorsvw.exe 52 PID 2508 wrote to memory of 1592 2508 mscorsvw.exe 52 PID 2508 wrote to memory of 1540 2508 mscorsvw.exe 60 PID 2508 wrote to memory of 1540 2508 mscorsvw.exe 60 PID 2508 wrote to memory of 1540 2508 mscorsvw.exe 60 PID 2508 wrote to memory of 1540 2508 mscorsvw.exe 60 PID 2508 wrote to memory of 1532 2508 mscorsvw.exe 61 PID 2508 wrote to memory of 1532 2508 mscorsvw.exe 61 PID 2508 wrote to memory of 1532 2508 mscorsvw.exe 61 PID 2508 wrote to memory of 1532 2508 mscorsvw.exe 61 PID 2192 wrote to memory of 2940 2192 SearchIndexer.exe 62 PID 2192 wrote to memory of 2940 2192 SearchIndexer.exe 62 PID 2192 wrote to memory of 2940 2192 SearchIndexer.exe 62 PID 2192 wrote to memory of 1628 2192 SearchIndexer.exe 63 PID 2192 wrote to memory of 1628 2192 SearchIndexer.exe 63 PID 2192 wrote to memory of 1628 2192 SearchIndexer.exe 63 PID 2508 wrote to memory of 2124 2508 mscorsvw.exe 64 PID 2508 wrote to memory of 2124 2508 mscorsvw.exe 64 PID 2508 wrote to memory of 2124 2508 mscorsvw.exe 64 PID 2508 wrote to memory of 2124 2508 mscorsvw.exe 64 PID 2508 wrote to memory of 384 2508 mscorsvw.exe 65 PID 2508 wrote to memory of 384 2508 mscorsvw.exe 65 PID 2508 wrote to memory of 384 2508 mscorsvw.exe 65 PID 2508 wrote to memory of 384 2508 mscorsvw.exe 65 PID 2508 wrote to memory of 2580 2508 mscorsvw.exe 66 PID 2508 wrote to memory of 2580 2508 mscorsvw.exe 66 PID 2508 wrote to memory of 2580 2508 mscorsvw.exe 66 PID 2508 wrote to memory of 2580 2508 mscorsvw.exe 66 PID 2508 wrote to memory of 2888 2508 mscorsvw.exe 67 PID 2508 wrote to memory of 2888 2508 mscorsvw.exe 67 PID 2508 wrote to memory of 2888 2508 mscorsvw.exe 67 PID 2508 wrote to memory of 2888 2508 mscorsvw.exe 67 PID 2508 wrote to memory of 1532 2508 mscorsvw.exe 68 PID 2508 wrote to memory of 1532 2508 mscorsvw.exe 68 PID 2508 wrote to memory of 1532 2508 mscorsvw.exe 68 PID 2508 wrote to memory of 1532 2508 mscorsvw.exe 68 PID 2508 wrote to memory of 1716 2508 mscorsvw.exe 69 PID 2508 wrote to memory of 1716 2508 mscorsvw.exe 69 PID 2508 wrote to memory of 1716 2508 mscorsvw.exe 69 PID 2508 wrote to memory of 1716 2508 mscorsvw.exe 69 PID 2508 wrote to memory of 112 2508 mscorsvw.exe 70 PID 2508 wrote to memory of 112 2508 mscorsvw.exe 70 PID 2508 wrote to memory of 112 2508 mscorsvw.exe 70 PID 2508 wrote to memory of 112 2508 mscorsvw.exe 70 PID 2508 wrote to memory of 2584 2508 mscorsvw.exe 71 PID 2508 wrote to memory of 2584 2508 mscorsvw.exe 71 PID 2508 wrote to memory of 2584 2508 mscorsvw.exe 71 PID 2508 wrote to memory of 2584 2508 mscorsvw.exe 71 PID 2508 wrote to memory of 792 2508 mscorsvw.exe 72 PID 2508 wrote to memory of 792 2508 mscorsvw.exe 72 PID 2508 wrote to memory of 792 2508 mscorsvw.exe 72 PID 2508 wrote to memory of 792 2508 mscorsvw.exe 72 PID 2192 wrote to memory of 1076 2192 SearchIndexer.exe 73 PID 2192 wrote to memory of 1076 2192 SearchIndexer.exe 73 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-03_cd7b199f57142ddaeca9c24b0819df6d_magniber_revil_zxxz.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2368
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2388
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe1⤵
- Executes dropped EXE
PID:2596
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
PID:2660
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
PID:2572
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2308
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 248 -NGENProcess 1e4 -Pipe 1ec -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1076
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 258 -NGENProcess 230 -Pipe 254 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1592
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 240 -NGENProcess 260 -Pipe 248 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1540
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 240 -NGENProcess 25c -Pipe 230 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1532
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 234 -InterruptEvent 24c -NGENProcess 268 -Pipe 250 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2124
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 24c -NGENProcess 234 -Pipe 25c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:384
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 264 -NGENProcess 270 -Pipe 238 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2580
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 264 -NGENProcess 1e4 -Pipe 234 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2888
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 278 -NGENProcess 270 -Pipe 23c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1532
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 278 -NGENProcess 264 -Pipe 24c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1716
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 278 -NGENProcess 27c -Pipe 270 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:112
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 278 -NGENProcess 240 -Pipe 264 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2584
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 278 -NGENProcess 268 -Pipe 27c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:792
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 278 -NGENProcess 260 -Pipe 240 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1968
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 278 -NGENProcess 1e4 -Pipe 268 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1700
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 278 -NGENProcess 258 -Pipe 260 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1540
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 29c -NGENProcess 278 -Pipe 298 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:792
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 29c -NGENProcess 1e4 -Pipe 294 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2812
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 274 -NGENProcess 2a0 -Pipe 288 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2616
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 2a4 -NGENProcess 1e4 -Pipe 258 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2576
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2a4 -NGENProcess 274 -Pipe 26c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2124
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 2a4 -NGENProcess 2a8 -Pipe 1e4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1724
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 26c -NGENProcess 288 -Pipe 1f4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:948
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 248 -NGENProcess 268 -Pipe 230 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1500
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 254 -NGENProcess 298 -Pipe 26c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2972
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 250 -NGENProcess 294 -Pipe 234 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:3004
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 210 -InterruptEvent 250 -NGENProcess 254 -Pipe 25c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:748
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 298 -NGENProcess 254 -Pipe 238 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2968
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 298 -NGENProcess 250 -Pipe 1cc -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2656
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 294 -NGENProcess 274 -Pipe 28c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:332
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 294 -NGENProcess 2a4 -Pipe 250 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2564
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 2ac -NGENProcess 294 -Pipe 1d0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2724
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 2ac -NGENProcess 274 -Pipe 2b0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1580
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 254 -NGENProcess 294 -Pipe 248 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2696
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 254 -NGENProcess 288 -Pipe 2ac -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1148
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 288 -NGENProcess 29c -Pipe 294 -Comment "NGen Worker Process"2⤵PID:2836
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 288 -NGENProcess 254 -Pipe 268 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:808
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 254 -NGENProcess 1ec -Pipe 29c -Comment "NGen Worker Process"2⤵PID:500
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 254 -NGENProcess 288 -Pipe 298 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:940
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c0 -InterruptEvent 2a4 -NGENProcess 2b8 -Pipe 2a0 -Comment "NGen Worker Process"2⤵PID:824
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 2a4 -NGENProcess 1c0 -Pipe 288 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2104
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 280 -NGENProcess 2c0 -Pipe 274 -Comment "NGen Worker Process"2⤵PID:816
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 280 -NGENProcess 284 -Pipe 1c0 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2664
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2bc -NGENProcess 2c8 -Pipe 2c4 -Comment "NGen Worker Process"2⤵PID:1896
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 2bc -NGENProcess 2a8 -Pipe 284 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1220
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 278 -NGENProcess 2d0 -Pipe 254 -Comment "NGen Worker Process"2⤵PID:2372
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 2a4 -NGENProcess 2a8 -Pipe 2b8 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2400
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 1ec -NGENProcess 2d8 -Pipe 278 -Comment "NGen Worker Process"2⤵PID:3008
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1620 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 1c8 -NGENProcess 1cc -Pipe 1d8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2228
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 240 -NGENProcess 248 -Pipe 24c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1300
-
-
C:\Windows\ehome\ehRecvr.exeC:\Windows\ehome\ehRecvr.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:808
-
C:\Windows\ehome\ehsched.exeC:\Windows\ehome\ehsched.exe1⤵
- Executes dropped EXE
PID:2236
-
C:\Windows\eHome\EhTray.exe"C:\Windows\eHome\EhTray.exe" /nav:-21⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:612
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2044
-
C:\Windows\system32\IEEtwCollector.exeC:\Windows\system32\IEEtwCollector.exe /V1⤵
- Executes dropped EXE
PID:2068
-
C:\Windows\ehome\ehRec.exeC:\Windows\ehome\ehRec.exe -Embedding1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2012
-
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1992
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2224
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1616
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2732
-
C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:2468
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1364
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:2268
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:540
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:2276
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:2992
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2624
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1180
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:692
-
C:\Program Files\Windows Media Player\wmpnetwk.exe"C:\Program Files\Windows Media Player\wmpnetwk.exe"1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:324
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3627615824-4061627003-3019543961-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3627615824-4061627003-3019543961-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"2⤵
- Suspicious use of SetWindowsHookEx
PID:2940
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 5962⤵PID:1628
-
-
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1076
-
-
C:\Windows\system32\dllhost.exeC:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2152
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
706KB
MD578ffdab62ef8be43da8cb7fd3e896c5e
SHA1f69626d84451edc039833647efbb943bf8188ea8
SHA256d48f7fb382baa480085881c931c0343f23d38a3c60b218fb8be2a6e96a369be7
SHA5128d3e1866f06e915e977c89b3b183e4808ff7f40bd8d43fe55ab1c95905539049ad06f2267d4322dfc475ff2727c68681c2c9bb685c2a51c835c77d8962892a49
-
Filesize
30.1MB
MD56dc7f5cc900801a5a161762fa6980c09
SHA1101f2495e860a5207ee1c469736d67fab05881e8
SHA25668b88456a2f70e9994cd1870ada0153a904534c7f95e8df30d119ca2846367da
SHA512632458232a1d5281d809d3c94f24faf4aa3358166daf1bebd415bc5f096638b1f95036bdfe1950e20249a03f77efb366b9ff9e39e0adba08535feb530aaa2d7c
-
Filesize
781KB
MD5aa75a7235949e9ebed7824601f6cb1f0
SHA198e09e7a4952f37e956faa0f41ce587396854348
SHA256885086b4631769297f64e8d79fe647071c72aa4087652deb1357e2c448eb7b30
SHA51284257e905928d4aed0702cddf96bcb26c64aa87b683f7d763811fcb7ede62a67ca5cad9e416efab98b7ad543f7f78cdc4db7c21ecf473158c5112da5a70585b0
-
Filesize
5.2MB
MD5bdfa7de760126d7273e8df6f187adf94
SHA1254222ff889fbb567b90edaa01c0a5d92dee82db
SHA256b6920dd4734c3c6d54b3fdaf985f03b013c5bca5eb0256f5906eea76e18454ca
SHA51228677ee30f200b3b023af3afc18a2952dc30391ea443ffbc38bd7f426d3307b78391822b3a5b8e420fc49879964e4d2dd911696a39bfcb1055cb4461241702c6
-
Filesize
2.1MB
MD52478d7d2415be39ea35d17b255dd4c3b
SHA11953b71b3fb9c5525870a7d2ea8e50eac67bf06d
SHA256b6bdee3fbdbca8176576ffb09fcaeaeea21f8161a0d9fb4f9504e7f2d7129438
SHA51245436590a5006c7304ed7154272981c47c876ebe3bc71a85b3067a0de5e78909095c035b70da8836dd90ab190097c0d53edf872d77120bb444c3d0a763b6974b
-
Filesize
1024KB
MD5797286f6bd275073e20ba1d6dfc4ff1d
SHA11f889d4ed1188976f33ea15dd44f652dfe1225c0
SHA256b52c6ee028dffa1497cf118a32b54ab7c9e5b56c774ad2d3799bc7257b9de459
SHA5126dbd54f0cc16b9fc9dc479a9fc5b00573c1fd29e65cd6c8870794cf0fc5879ee7b05cfe0211fc3bf84d3caa695dd826562e7db1ba08f1b3e978fbdf4ebedbfc8
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms
Filesize24B
MD5b9bd716de6739e51c620f2086f9c31e4
SHA19733d94607a3cba277e567af584510edd9febf62
SHA2567116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312
SHA512cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478
-
Filesize
872KB
MD59345a87eca84a1209c495a3b6a59fe5f
SHA1ea71e788e9c90c33c5995acf267d9506763a8fbd
SHA256c3dc7c66521815e9b7630b515f329eb19dac629916a31b6d4ab2fa4449ffbf11
SHA512b3c00f28ba729764a7e7b6e389c6f48e502d88320b154aa77e481e424ea946aef0554002b987f7bcbafabe1a150f6584ca0af8101025a0a8046ad5f60e6e1fe7
-
Filesize
603KB
MD56519b0c4e2aae9ce6e7404d640c8b314
SHA1354ecdbc425fef489593950c10008fc83a98b973
SHA2564074a00ddf8d9e2a4d182c23a126754b89e838dc84a10d355560e24602b817a9
SHA512169a9c78910352382bf93710bda023c3ba3dc70037f4c780cf4ad79817c0df76f90c2554176326e02425cea9b8deb76c815306889931ee06fbe9604ad13002db
-
Filesize
678KB
MD5be7e2927c0a0aabf5fa65ce7f8bce61d
SHA104a8bafb99277803071f2276122ea88120e3c164
SHA256fc03ec4ad348654cfc2b65034130fd60bbd539f8794abe392570768c639999de
SHA512f49d0f79a12d96449d2432ccea615afb5e2e5ecbe6cf610fe583fb3d04d9959a1427a482dc2731a1dc1d94bab146f50ff0e7ecfb5f8b3bcf342a33fa4f724f49
-
Filesize
625KB
MD5f3adade901964ac50187f1e47493cf5b
SHA17ceda1ddfae2511f8171bf54155104729327672a
SHA25606b2b8555c7bdc1947303e881c2b1b83b67ed6a2976ade73af999f28f7d1ceda
SHA5126ddf41e95fe924991991637e953faa8127dafcc47602121bf98bcfc47aeef3af0bb5d6a1be471f094b264594f14b448ebd9540737eb398c550f096804a781600
-
Filesize
1003KB
MD5b81a6579e55d81be6b71eef7c73b76b5
SHA1aac9eb4675d7235ac342293961f7850dcaf1e3d2
SHA256a4e13bbd7e4569b1a48e9a8edeefe70186ae1195ce224cc0f231a9298578f4ef
SHA512731ada5a7465f7488232281d5da40fda7ddf8cb179ad1a69837f078e27817bd41f59ae076f7cb6d5abba0d83f1a594f525cf23819cc3c6225f7fc1355feec89c
-
Filesize
656KB
MD57e04b409de704961de90c0adf2bf9b79
SHA1e38cc734a6e183bc4c1322a843928e51c1da8f04
SHA25689877785928da924d41be7af4b447f483d01ad4760b9759317d3d3d21de6945b
SHA5122da0fa71064b6d6569e4067f7504e7e3c9cfac844a2652299e4cb4dfbe80778c52df89e351f0b3117ffba450c5160ab679c4bc83fe5aacbaa6d11786819ce6b2
-
Filesize
8KB
MD57625e34fbaff4e5d27270b8c18aaff01
SHA11b5757ff2acb17f587fa29f08e8defbfc9af8da2
SHA2568e90830dea391633fed1d480a20fa73f43f0d5e8028303a14495980527174a54
SHA5129444837367efc2ed78c0da6b183cf4af5081051c94afd88d429d4d6523a377dfc071f62e0b1d84c830f42c3a22586f2aeda9fccf891b70458ce73ed4a88c3847
-
Filesize
587KB
MD5432db0901c2b9301d5a73ef0118329e0
SHA19a51b0e9355576a8326f7a97f5ae67424c6451a3
SHA256664aa5f584b5951cea75088225a5a2feea434bd7cba32d11f35f00083f719743
SHA51216bf7b040b468eb439f1c93110f7b626e2a8d952419417831428e48f40caf4155712f42a7c3e8b35ea9f8235c7b88dc65c52b211de6c211596bd93a15db4f446
-
Filesize
1.1MB
MD5da4416db89e1b34c1e860f87bce8de8b
SHA11d12e35320b0fce724f7447a1475f2e81a04f973
SHA256c0e4c782727314fd83d367eed2a48dde09d1877f806f99dccf63653f4b773428
SHA51263d374238b89a3cd56caf89e3ebb4ac17bc453ea06a877cf3a3ef69fd576c114f13eb39060b2c5fb9c2c84d037d239bd7ef3c016441af20c40f90535bd3ae47d
-
Filesize
2.1MB
MD53b22a0f05c1c88c12b37ecbc027ec49f
SHA1d639df6058ebb04ab51ff0dbae7f0b29dcdfc2bb
SHA2566244ec755a48a7e73092458bf7214b4af97eb3dffd3dd4b6a2b04c8c861b6870
SHA5125cdff944a21180d2bb4a57f0330c682a296d647d268a95f44f07fa5a22273f5af7a1b4141cfca08f7b75fad95dcb71c4b03114210bbb8dba148443446558eaea
-
Filesize
674KB
MD508afdec2c21961580c635910a9009592
SHA119bd733957b9c1f479a813d8e28859b4f0cca27c
SHA2564803a0432722d125f10d0e2769835b0e2af518ab29b98f1c7a30af0c555c971d
SHA5128138be6f12f5dc9ebecc1abe157a6b623ac9b00c548a5835f63c51bfa0389b8db150df33705ba4dec2807b2c892c0658f0487efe8530592f918dfcc8d2c8a5b9
-
Filesize
705KB
MD52ba1e9d3522d8443b4c13b29cd1a0821
SHA14836139578ece94045a34a01e90fda93e089d91a
SHA2561c4553ffdceca8e2dfc8780cc8f9a99f6730440fb25ae1abf9e95f97aae53e7c
SHA5124861979280cd8d70d6745fab54ead62cf2981ff34a6449daa31019799c556c80f0f681bc2a6c5a5698075fc69b3cad09207e882d4dc8865777bd39a06d1b6d88
-
Filesize
581KB
MD58faad73a4ebaa1aa28bd43701f30c466
SHA10ee913aee666c0614d6e3d7963555a45bbf00504
SHA2560b0a3d83438629d287843c8ee3c98a17d9aa00af8aeadcb9e069e03a5abef373
SHA5121dd76d139fcec33fec2a83e314d4e6893e2e77b19e37fe70b6a2cc5e9aad2f26d70b9d706e08a025447bdb7c8e63c9026fbd665853ab4c0c245658f59ff0dc4a
-
Filesize
1.1MB
MD5d2c07e525b6f0acf4ed739821a5472fd
SHA1e90b531851ec8b40672358d53d4a9231238a5e37
SHA2564e6d4e4c2fc89973d9b0c8df9bd4389bc9d3e3f42ac9eb93062f99a5751801da
SHA5126d6516ccdd09f5c5a0a3103ea6a7eca656c0689e407dcbd392169d2f0c0fe45f20c81b602a40f15f8a1a2a9b34fd5ba54fe6d6865b0a798d01386327940dfbca
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll
Filesize148KB
MD5ac901cf97363425059a50d1398e3454b
SHA12f8bd4ac2237a7b7606cb77a3d3c58051793c5c7
SHA256f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58
SHA5126a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll
Filesize34KB
MD5c26b034a8d6ab845b41ed6e8a8d6001d
SHA13a55774cf22d3244d30f9eb5e26c0a6792a3e493
SHA256620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3
SHA512483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll
Filesize109KB
MD50fd0f978e977a4122b64ae8f8541de54
SHA1153d3390416fdeba1b150816cbbf968e355dc64f
SHA256211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60
SHA512ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll
Filesize41KB
MD53c269caf88ccaf71660d8dc6c56f4873
SHA1f9481bf17e10fe1914644e1b590b82a0ecc2c5c4
SHA256de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48
SHA512bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll
Filesize210KB
MD54f40997b51420653706cb0958086cd2d
SHA10069b956d17ce7d782a0e054995317f2f621b502
SHA2568cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553
SHA512e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll
Filesize53KB
MD5e3a7a2b65afd8ab8b154fdc7897595c3
SHA1b21eefd6e23231470b5cf0bd0d7363879a2ed228
SHA256e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845
SHA5126537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll
Filesize28KB
MD5aefc3f3c8e7499bad4d05284e8abd16c
SHA17ab718bde7fdb2d878d8725dc843cfeba44a71f7
SHA2564436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d
SHA5121d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll
Filesize27KB
MD59c60454398ce4bce7a52cbda4a45d364
SHA1da1e5de264a6f6051b332f8f32fa876d297bf620
SHA256edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1
SHA512533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll
Filesize130KB
MD52735d2ab103beb0f7c1fbd6971838274
SHA16063646bc072546798bf8bf347425834f2bfad71
SHA256f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3
SHA512fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll
Filesize59KB
MD58c69bbdfbc8cc3fa3fa5edcd79901e94
SHA1b8028f0f557692221d5c0160ec6ce414b2bdf19b
SHA256a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d
SHA512825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll
Filesize42KB
MD571d4273e5b77cf01239a5d4f29e064fc
SHA1e8876dea4e4c4c099e27234742016be3c80d8b62
SHA256f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575
SHA51241fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180
-
Filesize
2.0MB
MD55d990e08628d1382e37c0b3f429e695b
SHA1934f805fcf9d2c86d7cf4ff4884af94414d7a6f3
SHA256e9d68b6eab2ecf740362e6de225b39bcaf828982c2b06307ec59148f9ee5f40f
SHA5129b73da9efaeda09d422d96d60fd8e2ba25cb4acb343064a6bfbd2cdc79eb70b031bc071af85f2ddf102b23f91ab1c55145a70dfec3b4499c26f2e8e44b3d17a6
-
Filesize
648KB
MD5e8008856da9f497d0a2056aa980eb488
SHA1444639db329b3f4b9e9a976b41c70c79410a2fea
SHA256e2c67aa986f8ced3fa40e03f8c6abcd416e3f65a89544a10e25e85a4387f8df4
SHA51272badac426bf1002ddd96f6f928873a3b7f2ecfef7fe588957d9b81d94428d16eb2e1bc29f938fc1b197e7e369cb2099c6bc62b754e8af406b7bafc0f9f536a8
-
Filesize
577KB
MD5647cb117981329879bb74773f92eec91
SHA15c45f38cb6175426a54ecdcbf914bae73cf97674
SHA256078f55c15c3973b00f008f9be574faa019177a62703465471c791117afe33705
SHA51265a1d786a4f7195ffafd9cb0725d50318711e623c0212ad512e463d593166f96b60f2bc6c6c5501639a6c683d79d1edcc104df4cf15d1941f3e87d3450c1c8c8
-
Filesize
644KB
MD51f20f688bd27b76e867e51eebde0287e
SHA103dd4965b5b5e89586afc1d44935bf0aa8211b56
SHA256308f9a8415b505458d58eb04182aeadb946a8e171b6f8120c1f2f46564210793
SHA512136d1ebbe7aff5175ad641e7fc679d4372cd8fc552aa3f1b0429b5ce7e7ab8f94573b046f0d1dcaaf8436e4fa38370131e4339ab47ab8795ba948ba60d64b13d
-
Filesize
691KB
MD55fb78055e9c501a03b738b39002f9fbb
SHA19bc1505180bbe0ff2d9e2b5c9afb806729ec911a
SHA256a245a9df7156d2d4cf919bfe5e6ce9af69eaf64c233e73b282fb52e69825b540
SHA512aae86d9876c2a6bcb0bfdc2a74288dea7ad3ba4f7fb94a3cdd85522e8595ffe6431c7210a153351b889174efd7a879dd6890091fec4054f633024df138513f18
-
Filesize
765KB
MD5dad87a5b4a7086592e66005518596af0
SHA1f31f12cb67408353171ac73bbad0bedf158c0e22
SHA256f2b99b72c0737f627111b22c26db7d40a002423310818c223dc2d729032cad97
SHA5122e6b0041a6fde4966848d44693a8b51703f3061648c6b21632730230415d4209314beb46398ad874944877a3bbfd1eaed547ed790a6cc71a163fb9307fa8f200
-
Filesize
2.0MB
MD58db3e7cbaa6266b171a637ba0e3c331a
SHA193ea35336b72bb342b935ea6ad7e253f6e932ef5
SHA2561e32c40d70df1293bd155a33be95c6f3ac0b18d37bacabef2c4659349301e3e6
SHA512d21acf0c43f4e22d310745fd0ae50acb037ba15e9a68c682bd89a27040a2cee5e1f05aa19c214db1daeab57292ffb3c04ca46807907f6f69d4ed165f06a40530
-
Filesize
1.2MB
MD530c0a4bd6c432f59d9ced0789e8933b4
SHA1e178a74a53e4c2f3b994b76113aaefa04ccbc7e2
SHA256751489b76730642b5c47575cac9ec87b601f6c716ba3afd734fdca58606052c8
SHA5126f1c6a4290155376010d9d0288b2fd47288595b45bb420b779157ddefd1a3e15e35e30327bfd42dc27a5db529f5d5b71d9e300561c19280a869cc4a6dea9ab39
-
Filesize
691KB
MD56c8b773308ad7b2932256c695e9a1e95
SHA16780060c044acd7d957b08f04a4b94c9eb74031d
SHA256f66c7d8809148cd02ab8cea8c3a7d43d82d4d66a6af679b5e9f704b80ad5f73b
SHA51298ec12f947e2ca3ba8c4fc11a917dec58a8a50a575c2ca814e039ddab1d87cbc5d9f4820cdac628b4f433bb35fc43d91b4c7aeed8dc0031093cf1bcb82f45af2