Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
07-04-2024 23:35
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe
Resource
win10v2004-20231215-en
General
-
Target
2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe
-
Size
4.7MB
-
MD5
aab33557c85ba58681ae5a868881e1b8
-
SHA1
a01778d12f92e47081de63ce6913b2cdb10266ed
-
SHA256
fbed99453a6a3bb1916f2530dfcdc8a1cbb98180545914e5c5b9d92188e704d4
-
SHA512
e0c120c60218e299f976b379074bb0036d096979d150227d5e692c6b3ebb220ead7766851ed9b6cbe975d6de33bd9615816914d67f1d488dd39e1fd55280172c
-
SSDEEP
98304:yqJkdmBucaT57K3C4qJ31B0G0c5S2uf+bGhwmv5:z2dV7VK8tj0QufMQ
Malware Config
Signatures
-
Executes dropped EXE 38 IoCs
Processes:
alg.exeaspnet_state.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeehRecvr.exeehsched.exeelevation_service.exeIEEtwCollector.exeGROOVE.EXEmaintenanceservice.exemsdtc.exemsiexec.exeOSE.EXEOSPPSVC.EXEmscorsvw.exeperfhost.exelocator.exemscorsvw.exesnmptrap.exevds.exevssvc.exewbengine.exemscorsvw.exeWmiApSrv.exewmpnetwk.exeSearchIndexer.exemscorsvw.exemscorsvw.exedllhost.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exesteamerrorreporter.exesteamwebhelper.exesteamwebhelper.exepid process 468 2024 alg.exe 2836 aspnet_state.exe 2720 mscorsvw.exe 2744 mscorsvw.exe 2952 mscorsvw.exe 2608 mscorsvw.exe 2892 ehRecvr.exe 604 ehsched.exe 2492 elevation_service.exe 2308 IEEtwCollector.exe 1828 GROOVE.EXE 1244 maintenanceservice.exe 1656 msdtc.exe 1236 msiexec.exe 2548 OSE.EXE 2372 OSPPSVC.EXE 2328 mscorsvw.exe 2412 perfhost.exe 1028 locator.exe 1436 mscorsvw.exe 2068 snmptrap.exe 2000 vds.exe 2488 vssvc.exe 2288 wbengine.exe 1692 mscorsvw.exe 868 WmiApSrv.exe 2544 wmpnetwk.exe 3632 SearchIndexer.exe 4000 mscorsvw.exe 6720 mscorsvw.exe 6944 dllhost.exe 4576 steamwebhelper.exe 4864 steamwebhelper.exe 3704 steamwebhelper.exe 5312 steamerrorreporter.exe 4292 steamwebhelper.exe 5428 steamwebhelper.exe -
Loads dropped DLL 64 IoCs
Processes:
msiexec.exe2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exesteamerrorreporter.exesteamwebhelper.exesteamwebhelper.exepid process 468 468 468 468 468 468 468 1236 msiexec.exe 468 468 468 468 468 720 468 6828 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe 6828 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe 6828 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe 6828 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe 6828 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe 6828 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe 6828 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe 6828 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe 6828 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe 6828 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe 6828 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe 6828 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe 6828 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe 6828 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe 6828 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe 6828 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe 4576 steamwebhelper.exe 4576 steamwebhelper.exe 4576 steamwebhelper.exe 4576 steamwebhelper.exe 4576 steamwebhelper.exe 4864 steamwebhelper.exe 4864 steamwebhelper.exe 4864 steamwebhelper.exe 6828 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe 6828 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe 4576 steamwebhelper.exe 3704 steamwebhelper.exe 3704 steamwebhelper.exe 3704 steamwebhelper.exe 3704 steamwebhelper.exe 3704 steamwebhelper.exe 3704 steamwebhelper.exe 6828 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe 5312 steamerrorreporter.exe 5312 steamerrorreporter.exe 4576 steamwebhelper.exe 4292 steamwebhelper.exe 4292 steamwebhelper.exe 4292 steamwebhelper.exe 4292 steamwebhelper.exe 4292 steamwebhelper.exe 4292 steamwebhelper.exe 5312 steamerrorreporter.exe 5312 steamerrorreporter.exe 4576 steamwebhelper.exe 5312 steamerrorreporter.exe 5312 steamerrorreporter.exe 5428 steamwebhelper.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 20 IoCs
Processes:
2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exeGROOVE.EXEmsdtc.exealg.exedescription ioc process File opened for modification C:\Windows\system32\dllhost.exe 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat GROOVE.EXE File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\System32\alg.exe 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe File opened for modification C:\Windows\system32\IEEtwCollector.exe 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\b38baa9e9a3c2c1c.bin alg.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe File opened for modification C:\Windows\system32\IEEtwCollector.exe alg.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe File opened for modification C:\Windows\system32\locator.exe 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe File opened for modification C:\Windows\System32\vds.exe 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe -
Drops file in Program Files directory 64 IoCs
Processes:
2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exealg.exedescription ioc process File opened for modification C:\Program Files\Java\jre7\bin\orbd.exe 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe File opened for modification C:\Program Files\Java\jre7\bin\rmiregistry.exe 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe alg.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe alg.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe File opened for modification C:\Program Files\Java\jre7\bin\policytool.exe 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\pack200.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe alg.exe File opened for modification C:\Program Files\7-Zip\7z.exe 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\unpack200.exe alg.exe -
Drops file in Windows directory 33 IoCs
Processes:
mscorsvw.exemscorsvw.exe2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exemsdtc.exemscorsvw.exedllhost.exemscorsvw.exealg.exedescription ioc process File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat mscorsvw.exe File opened for modification C:\Windows\ehome\ehsched.exe 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat mscorsvw.exe File opened for modification C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{0970E2B9-3553-4723-AA8A-F69BA2A91E8E}.crmlog dllhost.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe File created C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{0970E2B9-3553-4723-AA8A-F69BA2A91E8E}.crmlog dllhost.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe alg.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe alg.exe File opened for modification C:\Windows\ehome\ehsched.exe alg.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe File opened for modification C:\Windows\ehome\ehRecvr.exe alg.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat mscorsvw.exe File opened for modification C:\Windows\ehome\ehRecvr.exe 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe -
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe -
Modifies data under HKEY_USERS 52 IoCs
Processes:
ehRec.exeOSPPSVC.EXESearchProtocolHost.exeSearchIndexer.exewmpnetwk.exeehRecvr.exeGROOVE.EXEdescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE ehRec.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000 OSPPSVC.EXE Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-304 = "Public Recorded TV" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft wmpnetwk.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health wmpnetwk.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{840F61EC-B78F-4376-B101-89725C2D05FA} wmpnetwk.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform OSPPSVC.EXE Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit ehRecvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\ wmpnetwk.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit ehRecvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{840F61EC-B78F-4376-B101-89725C2D05FA} wmpnetwk.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software ehRecvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer wmpnetwk.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings GROOVE.EXE Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\Software wmpnetwk.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7" ehRecvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap SearchIndexer.exe -
Processes:
2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe -
Suspicious behavior: EnumeratesProcesses 37 IoCs
Processes:
ehRec.exe2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exesteamerrorreporter.exepid process 2300 ehRec.exe 2080 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe 2080 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe 2080 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe 2080 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe 2080 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe 2080 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe 2080 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe 2080 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe 2080 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe 2080 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe 2080 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe 2080 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe 2080 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe 2080 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe 2080 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe 2080 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe 2080 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe 2080 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe 2080 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe 2080 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe 2080 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe 2080 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe 2080 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe 2080 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe 2080 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe 6828 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe 6828 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe 5312 steamerrorreporter.exe 5312 steamerrorreporter.exe 5312 steamerrorreporter.exe 5312 steamerrorreporter.exe 5312 steamerrorreporter.exe 5312 steamerrorreporter.exe 5312 steamerrorreporter.exe 5312 steamerrorreporter.exe 5312 steamerrorreporter.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exemscorsvw.exemscorsvw.exeEhTray.exeehRec.exemsiexec.exevssvc.exewbengine.exeSearchIndexer.exewmpnetwk.exesteamwebhelper.exealg.exesteamerrorreporter.exedescription pid process Token: SeTakeOwnershipPrivilege 2080 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe Token: SeShutdownPrivilege 2952 mscorsvw.exe Token: SeShutdownPrivilege 2608 mscorsvw.exe Token: 33 1192 EhTray.exe Token: SeIncBasePriorityPrivilege 1192 EhTray.exe Token: SeDebugPrivilege 2300 ehRec.exe Token: SeShutdownPrivilege 2952 mscorsvw.exe Token: SeShutdownPrivilege 2608 mscorsvw.exe Token: SeShutdownPrivilege 2952 mscorsvw.exe Token: SeShutdownPrivilege 2952 mscorsvw.exe Token: SeShutdownPrivilege 2608 mscorsvw.exe Token: SeShutdownPrivilege 2608 mscorsvw.exe Token: 33 1192 EhTray.exe Token: SeIncBasePriorityPrivilege 1192 EhTray.exe Token: SeRestorePrivilege 1236 msiexec.exe Token: SeTakeOwnershipPrivilege 1236 msiexec.exe Token: SeSecurityPrivilege 1236 msiexec.exe Token: SeBackupPrivilege 2488 vssvc.exe Token: SeRestorePrivilege 2488 vssvc.exe Token: SeAuditPrivilege 2488 vssvc.exe Token: SeBackupPrivilege 2288 wbengine.exe Token: SeRestorePrivilege 2288 wbengine.exe Token: SeSecurityPrivilege 2288 wbengine.exe Token: SeManageVolumePrivilege 3632 SearchIndexer.exe Token: 33 3632 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 3632 SearchIndexer.exe Token: 33 2544 wmpnetwk.exe Token: SeIncBasePriorityPrivilege 2544 wmpnetwk.exe Token: SeDebugPrivilege 2080 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe Token: SeDebugPrivilege 2080 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe Token: SeDebugPrivilege 2080 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe Token: SeDebugPrivilege 2080 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe Token: SeDebugPrivilege 2080 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe Token: SeShutdownPrivilege 4576 steamwebhelper.exe Token: SeShutdownPrivilege 4576 steamwebhelper.exe Token: SeShutdownPrivilege 4576 steamwebhelper.exe Token: SeShutdownPrivilege 4576 steamwebhelper.exe Token: SeShutdownPrivilege 4576 steamwebhelper.exe Token: SeShutdownPrivilege 4576 steamwebhelper.exe Token: SeShutdownPrivilege 4576 steamwebhelper.exe Token: SeShutdownPrivilege 4576 steamwebhelper.exe Token: SeDebugPrivilege 2024 alg.exe Token: SeShutdownPrivilege 4576 steamwebhelper.exe Token: SeShutdownPrivilege 4576 steamwebhelper.exe Token: SeShutdownPrivilege 4576 steamwebhelper.exe Token: SeShutdownPrivilege 4576 steamwebhelper.exe Token: SeShutdownPrivilege 4576 steamwebhelper.exe Token: SeShutdownPrivilege 4576 steamwebhelper.exe Token: SeShutdownPrivilege 4576 steamwebhelper.exe Token: SeShutdownPrivilege 4576 steamwebhelper.exe Token: SeShutdownPrivilege 4576 steamwebhelper.exe Token: SeShutdownPrivilege 4576 steamwebhelper.exe Token: SeShutdownPrivilege 4576 steamwebhelper.exe Token: SeShutdownPrivilege 4576 steamwebhelper.exe Token: SeShutdownPrivilege 4576 steamwebhelper.exe Token: SeShutdownPrivilege 4576 steamwebhelper.exe Token: SeShutdownPrivilege 4576 steamwebhelper.exe Token: SeShutdownPrivilege 4576 steamwebhelper.exe Token: SeShutdownPrivilege 5312 steamerrorreporter.exe Token: SeShutdownPrivilege 4576 steamwebhelper.exe Token: SeShutdownPrivilege 4576 steamwebhelper.exe Token: SeShutdownPrivilege 4576 steamwebhelper.exe Token: SeShutdownPrivilege 4576 steamwebhelper.exe Token: SeShutdownPrivilege 4576 steamwebhelper.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
EhTray.exepid process 1192 EhTray.exe 1192 EhTray.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
EhTray.exepid process 1192 EhTray.exe 1192 EhTray.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
Processes:
SearchProtocolHost.exe2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exeSearchProtocolHost.exepid process 3120 SearchProtocolHost.exe 3120 SearchProtocolHost.exe 3120 SearchProtocolHost.exe 3120 SearchProtocolHost.exe 3120 SearchProtocolHost.exe 3120 SearchProtocolHost.exe 6828 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe 2176 SearchProtocolHost.exe 2176 SearchProtocolHost.exe 2176 SearchProtocolHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
mscorsvw.exeSearchIndexer.exe2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exesteamwebhelper.exedescription pid process target process PID 2952 wrote to memory of 2328 2952 mscorsvw.exe mscorsvw.exe PID 2952 wrote to memory of 2328 2952 mscorsvw.exe mscorsvw.exe PID 2952 wrote to memory of 2328 2952 mscorsvw.exe mscorsvw.exe PID 2952 wrote to memory of 2328 2952 mscorsvw.exe mscorsvw.exe PID 2952 wrote to memory of 1436 2952 mscorsvw.exe mscorsvw.exe PID 2952 wrote to memory of 1436 2952 mscorsvw.exe mscorsvw.exe PID 2952 wrote to memory of 1436 2952 mscorsvw.exe mscorsvw.exe PID 2952 wrote to memory of 1436 2952 mscorsvw.exe mscorsvw.exe PID 2952 wrote to memory of 1692 2952 mscorsvw.exe mscorsvw.exe PID 2952 wrote to memory of 1692 2952 mscorsvw.exe mscorsvw.exe PID 2952 wrote to memory of 1692 2952 mscorsvw.exe mscorsvw.exe PID 2952 wrote to memory of 1692 2952 mscorsvw.exe mscorsvw.exe PID 3632 wrote to memory of 3120 3632 SearchIndexer.exe SearchProtocolHost.exe PID 3632 wrote to memory of 3120 3632 SearchIndexer.exe SearchProtocolHost.exe PID 3632 wrote to memory of 3120 3632 SearchIndexer.exe SearchProtocolHost.exe PID 3632 wrote to memory of 1472 3632 SearchIndexer.exe SearchFilterHost.exe PID 3632 wrote to memory of 1472 3632 SearchIndexer.exe SearchFilterHost.exe PID 3632 wrote to memory of 1472 3632 SearchIndexer.exe SearchFilterHost.exe PID 2952 wrote to memory of 4000 2952 mscorsvw.exe mscorsvw.exe PID 2952 wrote to memory of 4000 2952 mscorsvw.exe mscorsvw.exe PID 2952 wrote to memory of 4000 2952 mscorsvw.exe mscorsvw.exe PID 2952 wrote to memory of 4000 2952 mscorsvw.exe mscorsvw.exe PID 2952 wrote to memory of 6720 2952 mscorsvw.exe mscorsvw.exe PID 2952 wrote to memory of 6720 2952 mscorsvw.exe mscorsvw.exe PID 2952 wrote to memory of 6720 2952 mscorsvw.exe mscorsvw.exe PID 2952 wrote to memory of 6720 2952 mscorsvw.exe mscorsvw.exe PID 2080 wrote to memory of 6828 2080 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe PID 2080 wrote to memory of 6828 2080 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe PID 2080 wrote to memory of 6828 2080 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe PID 2080 wrote to memory of 6828 2080 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe PID 6828 wrote to memory of 4576 6828 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe steamwebhelper.exe PID 6828 wrote to memory of 4576 6828 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe steamwebhelper.exe PID 6828 wrote to memory of 4576 6828 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe steamwebhelper.exe PID 6828 wrote to memory of 4576 6828 2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe steamwebhelper.exe PID 4576 wrote to memory of 4864 4576 steamwebhelper.exe steamwebhelper.exe PID 4576 wrote to memory of 4864 4576 steamwebhelper.exe steamwebhelper.exe PID 4576 wrote to memory of 4864 4576 steamwebhelper.exe steamwebhelper.exe PID 4576 wrote to memory of 3704 4576 steamwebhelper.exe steamwebhelper.exe PID 4576 wrote to memory of 3704 4576 steamwebhelper.exe steamwebhelper.exe PID 4576 wrote to memory of 3704 4576 steamwebhelper.exe steamwebhelper.exe PID 4576 wrote to memory of 3704 4576 steamwebhelper.exe steamwebhelper.exe PID 4576 wrote to memory of 3704 4576 steamwebhelper.exe steamwebhelper.exe PID 4576 wrote to memory of 3704 4576 steamwebhelper.exe steamwebhelper.exe PID 4576 wrote to memory of 3704 4576 steamwebhelper.exe steamwebhelper.exe PID 4576 wrote to memory of 3704 4576 steamwebhelper.exe steamwebhelper.exe PID 4576 wrote to memory of 3704 4576 steamwebhelper.exe steamwebhelper.exe PID 4576 wrote to memory of 3704 4576 steamwebhelper.exe steamwebhelper.exe PID 4576 wrote to memory of 3704 4576 steamwebhelper.exe steamwebhelper.exe PID 4576 wrote to memory of 3704 4576 steamwebhelper.exe steamwebhelper.exe PID 4576 wrote to memory of 3704 4576 steamwebhelper.exe steamwebhelper.exe PID 4576 wrote to memory of 3704 4576 steamwebhelper.exe steamwebhelper.exe PID 4576 wrote to memory of 3704 4576 steamwebhelper.exe steamwebhelper.exe PID 4576 wrote to memory of 3704 4576 steamwebhelper.exe steamwebhelper.exe PID 4576 wrote to memory of 3704 4576 steamwebhelper.exe steamwebhelper.exe PID 4576 wrote to memory of 3704 4576 steamwebhelper.exe steamwebhelper.exe PID 4576 wrote to memory of 3704 4576 steamwebhelper.exe steamwebhelper.exe PID 4576 wrote to memory of 3704 4576 steamwebhelper.exe steamwebhelper.exe PID 4576 wrote to memory of 3704 4576 steamwebhelper.exe steamwebhelper.exe PID 4576 wrote to memory of 3704 4576 steamwebhelper.exe steamwebhelper.exe PID 4576 wrote to memory of 3704 4576 steamwebhelper.exe steamwebhelper.exe PID 4576 wrote to memory of 3704 4576 steamwebhelper.exe steamwebhelper.exe PID 4576 wrote to memory of 3704 4576 steamwebhelper.exe steamwebhelper.exe PID 4576 wrote to memory of 3704 4576 steamwebhelper.exe steamwebhelper.exe PID 4576 wrote to memory of 3704 4576 steamwebhelper.exe steamwebhelper.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Users\Admin\AppData\Local\Temp\2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exeC:\Users\Admin\AppData\Local\Temp\2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe2⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:6828 -
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exeC:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe "-lang=en_US" "-cachedir=C:\Users\Admin\AppData\Local\Steam\htmlcache" "-steampid=6828" "-buildid=1709846872" "-steamid=0" "-logdir=C:\Users\Admin\AppData\Local\Temp\logs" "-uimode=7" "-startcount=0" "-steamuniverse=Public" "-realm=Global" "-clientui=C:\Users\Admin\AppData\Local\Temp\clientui" "-steampath=C:\Users\Admin\AppData\Local\Temp\2024-04-07_aab33557c85ba58681ae5a868881e1b8_magniber.exe" "-launcher=0" --enable-smooth-scrolling --enable-direct-write --disablehighdpi "--force-device-scale-factor=1" "--device-scale-factor=1" "--log-file=C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --disable-quick-menu "--disable-features=DcheckIsFatal"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4576 -
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exeC:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe --type=crashpad-handler /prefetch:7 --max-uploads=5 --max-db-size=20 --max-db-age=5 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\dumps "--metrics-dir=C:\Users\Admin\AppData\Local\CEF\User Data" --url=https://crash.steampowered.com/submit --annotation=platform=win64 --annotation=product=cefwebhelper --annotation=version=1709846872 --initial-client-data=0x22c,0x230,0x234,0x200,0x238,0x7fef49eee28,0x7fef49eee38,0x7fef49eee484⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4864
-
-
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe"C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --force-device-scale-factor=1 --disablehighdpi --buildid=1709846872 --steamid=0 --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --log-file="C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --mojo-platform-channel-handle=1092 --field-trial-handle=1208,i,10655423589679709768,13084601154772732833,131072 --disable-features=BackForwardCache,DcheckIsFatal,WinUseBrowserSpellChecker /prefetch:24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3704
-
-
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe"C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --force-device-scale-factor=1 --disablehighdpi --buildid=1709846872 --steamid=0 --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --log-file="C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --mojo-platform-channel-handle=1316 --field-trial-handle=1208,i,10655423589679709768,13084601154772732833,131072 --disable-features=BackForwardCache,DcheckIsFatal,WinUseBrowserSpellChecker /prefetch:24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4292
-
-
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe"C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --force-device-scale-factor=1 --disablehighdpi --buildid=1709846872 --steamid=0 --log-file="C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --mojo-platform-channel-handle=1536 --field-trial-handle=1208,i,10655423589679709768,13084601154772732833,131072 --disable-features=BackForwardCache,DcheckIsFatal,WinUseBrowserSpellChecker /prefetch:84⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5428
-
-
-
C:\Users\Admin\AppData\Local\Temp\steamerrorreporter.exeC:\Users\Admin\AppData\Local\Temp\ste3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5312
-
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2024
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe1⤵
- Executes dropped EXE
PID:2836
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2720
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2744
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2328
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1436
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 230 -InterruptEvent 24c -NGENProcess 23c -Pipe 1d4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1692
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 230 -InterruptEvent 240 -NGENProcess 1d0 -Pipe 234 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:4000
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 264 -NGENProcess 24c -Pipe 258 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:6720
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2608
-
C:\Windows\ehome\ehRecvr.exeC:\Windows\ehome\ehRecvr.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2892
-
C:\Windows\ehome\ehsched.exeC:\Windows\ehome\ehsched.exe1⤵
- Executes dropped EXE
PID:604
-
C:\Windows\eHome\EhTray.exe"C:\Windows\eHome\EhTray.exe" /nav:-21⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1192
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2492
-
C:\Windows\ehome\ehRec.exeC:\Windows\ehome\ehRec.exe -Embedding1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2300
-
C:\Windows\system32\IEEtwCollector.exeC:\Windows\system32\IEEtwCollector.exe /V1⤵
- Executes dropped EXE
PID:2308
-
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1828
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:1244
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1656
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1236
-
C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:2548
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2372
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:2412
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:1028
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:2068
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:2000
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2488
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2288
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:868
-
C:\Program Files\Windows Media Player\wmpnetwk.exe"C:\Program Files\Windows Media Player\wmpnetwk.exe"1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2544
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3632 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3120
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 5962⤵PID:1472
-
-
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-1658372521-4246568289-2509113762-10002_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-1658372521-4246568289-2509113762-10002 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"2⤵
- Suspicious use of SetWindowsHookEx
PID:2176
-
-
C:\Windows\system32\dllhost.exeC:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:6944
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD58a3105668c6e1a56f7384a0e571c69a8
SHA1a625c99aa33312e04f3ddf66a3abf5bf6693b8aa
SHA2566bf2b8cd0a3ed2031685dfe104266bd24fad36b406192f48ba63149db5524c19
SHA512d62e25bf86775d3e0ba6f4e4396a3b4c57d52efb2c63b7eb6def51b1ff6a53ba3cf07ef4934c4792d0461beb68d1ed7ce75eeb23795989280b8e2f9e76ba8f7e
-
Filesize
1.3MB
MD5f674a2ff87c94720194611ead06e74d8
SHA12421896ac66059818b3a608c921a17f06bb51993
SHA25656e2c4eff24f8f38fa1b8795b5c09386511835531b38068006a53b579afabd04
SHA5125e8c181c12b5cc4617eced8ad6977c22a462329368512528dc743d3f8c1a95f6ae3542d03fa55a6ab09d4364db7ef7366172b2defcd61fbf9342afdbf645702b
-
Filesize
30.1MB
MD5bc1fa3884617f6655376f64feea1c9db
SHA1a01616471baf5371ab320b0b984ade28d0234021
SHA2566ce223e726d96a959e5f77307ec20f5cb14963e2bfeb81fa6b456d03f6832a95
SHA5127295f7923a85c4d505738dd82de9e5aba761f8604d08df87af0591659fd41990cfa55c853efb123ae2944a17574ae85258172f0df400e92f6bb09f202c98d88d
-
Filesize
1.4MB
MD5c7e3366c957011929ab4b3924b5d171a
SHA1ddb69ca3579a4dfe9e8d673ca54aa7adb37904ef
SHA2560960e66de3196d9c3871b4b5d3f113f787b3d4b7a45931f84449228fccf3207c
SHA512f282240bcd21ebe21091d8cbb6e669f206d9ef429891652274e45f1de8ce8fcbe19347bc0cb301ed45397be15b555a5fc174f66a4e44148f215e248bc7cb18ce
-
Filesize
5.2MB
MD5e98ea99503a6d7fd6d45b172ac5ef144
SHA1df0038e08650e652b5f48048e4b013267f4a9400
SHA256b160d061988659b2bb9185c626d782a74059713ee69aa88d362c3b988dbca179
SHA512955f72264bd6e8fd3f264fc2da345d195d3bbb31459aa209a110ad33b364a6d2f40f8d9e4d967dd00d63785ebf4c57683b47888b91702d4974bf77498b05e5a4
-
Filesize
2.1MB
MD50df6d7b20bf9938e3816679747b2b658
SHA18b2730fbfcbe5b1e2a94214fbdbff2f3f5030635
SHA256e025afe763e9aae7085498714b6fb0e9300b65a6f86a721e2b80d94574cb0bb8
SHA512af6856e94abef5f97446d1acf9ecd1f9059bea48b30cfe4d69a8cbd7ada89394d115d6fbba48ebaa2fc51de5e26221defbb071d693caca8c9f4c3b05398fb388
-
Filesize
1024KB
MD50b3a7eb6c9f30115d74e509f2e72821e
SHA19a1e5718d56ccad808b035f7b54f4b67a3d1ee55
SHA2565aee9b507e4d46dafcb19ef04466e04aead79b3811b78f90dd5358eb677f9499
SHA51233846ae0ddd896d55080a13461766b7714685d25e6b9c9db4dd4ced080d61d62d7ea8fb349bb2054e957421413c137dff7edc7f96d50e3ee769c8366b554c171
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
361KB
MD5921ecaa849aa3eebea83cc117f057bbc
SHA1b7eac57ca1e82b1011379893c88c76906b8c6833
SHA256956264d928cc41776196b6a8162bf5895e0f093cc8049842fc90ad55e8c2f198
SHA5122ea60ab1c5119254c38e136c3f1a88450fc0256fe5dcc621dd42235c72f50ef5ae2cf8fd481ee0cd663ee8173c09522fc7e11d72101072617d40ad193af9b3a7
-
Filesize
11KB
MD501500a883894fb17318c270951bafccd
SHA1afd8d7fb980002186894fc23a132d9bfe16da91a
SHA256c87d1115c2cd680504b14e02afcbedfede4aaf940a8e38f3a96d8478e4ffcf0e
SHA51222d1dac01babde8224d4e9cbf712c28efc2dd69531a9b6d91c9d52f0fd5956ab97a8cb61b259cf66461bc2885080b80aacc059c9931f649f37daaaede9845c52
-
Filesize
3KB
MD5a1a24eb6ea7c8f698257c581ac77e6c5
SHA1632500550b55c11335778a4b64f64cce568578cb
SHA256d775348840b6bc74c309c53ed90ec2905d577d4f38d5210424763106a8c4586d
SHA5124e39dcfe388c67767d56733ccfb33e879eb670ebb8ff22dddc940c8d077d9e312a7ac5dfa53de0270b2e5a25e826e4dd162c59cf7ea827eb30c7357310321bdb
-
Filesize
9KB
MD5efb6e815a83a9222a7263e78209285f1
SHA1e178c8468d4e2ac9e66e7cd597813e6d85b30044
SHA2569d0a3df457493d2ac1dba90a89ad6b35d309951142c793bef247ce462a631a2a
SHA51236b1ec5f4b045b026f80983f769fa20d9e301c6ed92a036629f768c13515393522123d6436f438fe4f24f9116c0c7908c4d8093fcca36972e12ec763a06e3c72
-
C:\Users\Admin\AppData\Local\Temp\package\tmp\graphics\[email protected]_
Filesize15KB
MD5577b7286c7b05cecde9bea0a0d39740e
SHA1144d97afe83738177a2dbe43994f14ec11e44b53
SHA256983aa3928f15f5154266be7063a75e1fce87238bbe81a910219dea01d5376824
SHA5128cd55264a6e973bb6683c6f376672b74a263b48b087240df8296735fd7ae6274ee688fdb16d7febad14288a866ea47e78b114c357a9b03471b1e72df053ebcb0
-
Filesize
20KB
MD500bf35778a90f9dfa68ce0d1a032d9b5
SHA1de6a3d102de9a186e1585be14b49390dcb9605d6
SHA256cab3a68b64d8bf22c44080f12d7eab5b281102a8761f804224074ab1f6130fe2
SHA512342c9732ef4185dee691c9c8657a56f577f9c90fc43a4330bdc173536750cee1c40af4adac4f47ac5aca6b80ab347ebe2d31d38ea540245b38ab72ee8718a041
-
Filesize
23B
MD5836dd6b25a8902af48cd52738b675e4b
SHA1449347c06a872bedf311046bca8d316bfba3830b
SHA2566feb83ca306745d634903cf09274b7baf0ac38e43c6b3fab1a608be344c3ef64
SHA5126ab1e4a7fa9da6d33cee104344ba2ccb3e85cd2d013ba3e4c6790fd7fd482c85f5f76e9ae38c5190cdbbe246a48dae775501f7414bec4f6682a05685994e6b80
-
Filesize
4KB
MD5da6cd2483ad8a21e8356e63d036df55b
SHA10e808a400facec559e6fbab960a7bdfaab4c6b04
SHA256ebececd3f691ac20e5b73e5c81861a01531203df3cf2baa9e1b6d004733a42a6
SHA51206145861eb4803c9813a88cd715769a4baa0bab0e87b28f59aa242d4369817789f4c85114e8d0ceb502e080ec3ec03400385924ec7537e7b04f724ba7f17b925
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms
Filesize24B
MD5b9bd716de6739e51c620f2086f9c31e4
SHA19733d94607a3cba277e567af584510edd9febf62
SHA2567116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312
SHA512cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478
-
Filesize
1.3MB
MD5b7fa57b3375336c75daf8e8e608ad0ce
SHA1c061b4ee8103d77dc6945433d068a443f794f435
SHA25607f9840e0d74f9f6433ec5a8416285534d4047f14fecb562aec86aefcbabc24f
SHA512569acaac8054a95d34fc718b878464b1e9c4afa0acf6b423632b8d9c6ecfc5b8e54fcf68523441382f34b41bfc8aeb5e0c443494b503e6bdf86b3ada8d3ad0bc
-
Filesize
872KB
MD59580c38a67de14185cc0e3ad9139afbb
SHA11d7f70a727ffe5dd156d9d9d98ed96b46fd2edf1
SHA25640e39dfa31869b0208c2974638e7c63d65f1055850cd4bd21bc81b91b528585c
SHA512a013c3b377019596b9c26a98e8915abf3a239c65177bdce35ecf0d6bb5b407f416824cc57dd00ae8a4a6cf4d63df8bce1a535c80401ea9ad834093a270862fe6
-
Filesize
1.3MB
MD54daf380126c6527569a65a064b403ccd
SHA1e65fa13c72d122801b9559857d9e178ef532a501
SHA256fd17234e9bd3b32056fddea4dea4776a4a1d9b8985bfd282d131fe4af11911cc
SHA512c996bda5a7667ffc8194016cc5d698cf3f5f8f07120631c9e1af01fe974c9d119d46a7b1f00c5ca4e6f2aaa2bd1aa313a5239d70d62cc2dba70521b59de4209d
-
Filesize
1.2MB
MD53449d2080e4b7486d3c6fb77bf90ce15
SHA1d73720ed8527031ade9a64dc709b955fc590a942
SHA2569bffd1032713312b5878d3fe66dc0c5ea77c2db7d08900f791f1b8e143eac609
SHA51246a18b81f8d745676f69bd38aa425fd779e3952f8b8a345f2b4b18a97251368231ee22f010f40500c04051c353239cb547924bd187826a8147ba550de7a96e5b
-
Filesize
1003KB
MD525c8b8a7fb9c54bbdcfc788b561a5b23
SHA1f50f9e6db1f421e7c0ec8b8487439ed4240e83b1
SHA2564dd0ef38b4d128d5e75b7cc7805d452446418fe518d8a8349ae77b697d7b6213
SHA51262e4f435197be0ca7a59138216820657e473c820cb19a8ab93b4dfb184dee8035f9bb9e1cde740b5c856ecd9fa5fe556f315650e5edc9249aebe8ceb88a654f1
-
Filesize
1.3MB
MD50c16fac5f8cdb2ca77c397e50153db42
SHA14f10af88981d6ecdeeb66fec093eac5350050216
SHA25626814b6680fb6fbead5740936c9944b9c3c06f4a817e4cd3bc3cbdb8d05a9bcd
SHA5127c13d889bba4313dc2b372913430217811bf96f674a238002ad10cb1fc01846bd0ce5d19d3fbdbddf3b39fc6e093ba7db7ccb9dba8bc06a956ec61466f3d94d3
-
Filesize
1.2MB
MD526461615698f5f31415db4a7e4c01665
SHA1eb767e16f0e1244991d521b33dfb630f54a5aa7f
SHA256cfd4cbea0a97d5578566b796dea96d31ee26739c4e7485f6e12cd2f2ee0b7683
SHA512d1d76c094a96cc98ddd1229eaa85fa9e4356731df2a46f7ae73f020bfe3333ccf4d2755e41385ef99e2430756e0825f70136b0fe6ed68a6f077f7b5c1c3493c5
-
Filesize
1.1MB
MD501a14b0f0ef61a1d607bda4251b72b6e
SHA1b063d32e0b2fd7dc40961543e0118f2afdc95929
SHA256b95dec8282180bc1772ca437e7b91b61d0fbfea3f9f0ea148232b3a2d1aa8b75
SHA5125fc0802996d37910a054ea19d840479c109964c704292d4a53cf2dba6c1b4ebd8156b5c1f9bb34713fc2818bd68ebdef5a2f16fc6b8b43fd62cb47eb9ce5c14e
-
Filesize
2.1MB
MD51d71757061b93487a72136c53ee21ced
SHA134c1ed17d2b045e0609b93006cc75f17d345a8aa
SHA2569c3861cd8abf88c7671b80f80ace2a90db8913cc7c681101a0fbd1a2fff99cf2
SHA512026f06d0318d531cd1b6f942c35ece59873949625b19722ad096f1b3d2bd7b28e8d25a29087c1b94005f74b820c472ad7cb89929536471458ef86552dd1d0bbe
-
Filesize
1.3MB
MD5742c0cb6cff9a17d2cee03a595fa15f1
SHA1ab0a77929fdf0a85a9540eff642a0ee77861fef1
SHA256e8f679188fa6532ff854adda5e8d4a48142666acb862dcaf766f14a7c693bf38
SHA51299745c917733d7e03dd765c82f66e973e05a698433fc9c1bcb1e2fa101bfc84c1c3891b8ab22eb2fb403709b55c6d8c072410411a872470fc7f4539842cd4d4b
-
Filesize
1.3MB
MD5601587165452d8f5a50013607a25977a
SHA178f8736bf49bb4937a4adbb8e05398bbb8770414
SHA256c8d22490ebc995e70bb3e5c6a2e1827d2b9831c4276bdc7d20e9b865515025a7
SHA512c2d6333b77d92f244cd7d6a34274053d8c86e4e35a6d75d50c33295555555ecb462555bb28a3225964f49714ec69f2096c67feae96ca89b38aa0b776b8345057
-
Filesize
1.3MB
MD543551f6c1c973b48cff22f1bfe17105b
SHA1aaa7447b8a2632165adc6c8f7e3e454dd173b1c7
SHA25680b48eb696351d94f56be4e3962f0802124dd1f52de9b774f31c1def99780d84
SHA5126d57a03c46065b05bdc102618b3311922be45e15ab9b8e82ee50695d2c0c868c80bc58fdc8c18773e62379fe2a549fd1406ff6759a23aeeec06e6c47433b87ab
-
Filesize
1.7MB
MD5f62f5b1d4f5727a8a90b2cc34b484448
SHA1368867c4c4a7c306ab7d108e92d1c2825b4b33b3
SHA2569330786212386f9c0366438911b97ccd9200bf4634eb6d885366958e9b28d7e3
SHA512c4d877858a31f3b2c877ddd62aa7f4459e8bf78c52d57093ad7509a63c4d31584fc5115ea9a1606146a57592585e757e5b3a1817c1fcd125d1f6ec0c9cadd705
-
Filesize
1.2MB
MD53c8b7b544cfcf2b43344fb1fcb1e74cc
SHA10e8da883fd99f5dab1cae1ddf0baeddcd701281f
SHA2564c8186e726bad530d451345b1deda9bd857d8b73b2eba0b8cbfdd078051b80a4
SHA5128098e6fa31cf0131d7d42376c874bea7c542e2d645df69d5f0504011896b970d18dd27ac627d6eccbfea2f4d2e44bad84cab837af8f0b9d02bf00960847c4303
-
Filesize
1.3MB
MD58e94b85b7dc322f503f6ee5c9469d04a
SHA1155133a1a808e0ffc02679a4b103672f3739bcb8
SHA256a5f37e5f5b05826af4842dd1a124f09a69dbbf8c7ef8da5e372d8cb99752e21d
SHA512b2da8e8008b95ddf858e3a65d18616715314423f6b8b21a69b1246c956c6a26e95c5d0beddfbb3d8118ad55968fd8b96541a01a5ff5377a2f4d6b4848c71f6bf
-
Filesize
1.2MB
MD5b6d6f3fa5f7a59dcb549b5fcd5438a5d
SHA1686321ef77a80151165eea64dc488e1c76bb635d
SHA256a75b5ad4dc0a10182daa5f3e82dfa15ff36ffc9995404d82fdf433fd0e8b71d5
SHA512cb04556061a6db188e06972da17b658bf96db0591595f1cf3748cfe01211b31fb19b53d6320b4d646dfea409be0353d6654c88d06322a7f8e1261c6000c77904
-
Filesize
2.0MB
MD588675a314cad44bc2d04d4d23d94ed95
SHA15869bb6a10300c89292dd5f9e72e078d47fa388f
SHA2569755073b3fb4f5c2c95472df42af0d25f28634eefd6f951050fb5b8cbc7fc853
SHA5123c63b643c39beebfe37aab3a2f46080a39eea13140486fd6682e6adb2ad58d8d3d5287b1eddc49f3d971b44c640e1216c43eaa74e22ee7ed70dc0eceab2dc75d
-
Filesize
1.2MB
MD5649cc25532fdc588ed49966742a7e9fe
SHA143175a0f20f09e33f2e124f108a98873b49698fd
SHA2566b520684c5f1db9402a6f1d1611e9e9109d1944c07d5457838a537bd26ce76b5
SHA51204719bcf207b9fb5f0fc2dcb30b6cf7b1109a80931d65b514e909606d12511411a083b4bd2fa6d64fdd777baeec3c3f7723b9a5642c7c51cb4b8689ded195ad2
-
Filesize
1.2MB
MD5f5a77b215da42c6b7e0a11c3c9e28525
SHA1814956df805529fdb361b9d58dffcaaeac12fe93
SHA2563ac581f10a1ee3cf24522962049b1617b71371192e84daffc48c31ffa1cfc87e
SHA51209aa62dc5b19a30a4bfddcb63e8fa0a612958c77c0dbd16315461d6907d5e01d6f4eb2dedb992a486e4f4c0220caf9fffcba80a782f3dd51e1131ab6492987bf
-
Filesize
1.3MB
MD5dd88ca85efd6fa0633a42eddac795ea8
SHA117b68e2a10eebab9f981a951994e786490cce2cd
SHA256cb8f2de25fb1feffcef4fcdc4aa5ba39bfd83b126323dddaec2fdc836f0af253
SHA512305086012b0bedc271d230c863d6c1e5fceafe368d1c6f44f5f8008ddb169083ee1dea36b9866e5a7e6e7ac68f9318e04b9a4b3e575c3c933455f5e0322e0f3d
-
Filesize
1.2MB
MD55cffe2146d04aa99330cfa4240012624
SHA1ff50fa4f3a6798b095d17ef77371e8c408376d97
SHA256ceff6a1e8d4a4c0956047fa772a91dfaa52a16d06dc105e037db2f344f39f6ee
SHA512ef00b26937540e78862f886a4a5f4e7a767527798c4e1761792017fd69a39d7c50cf972c858edaa8e6bcc0884d4fcd33f7ae34a8cbd3e3845bdedc7f1d0a598b
-
Filesize
1.2MB
MD522e9cd10608184071cf774e34640010b
SHA15b489389718dd148571b7bab16c612c175d57662
SHA25603e3c33db2a0805dabfa55b1a15579278caf3512b2dff7871db6ee219a45954a
SHA512f746d0f430039bd2e9c355778df4522bd170231b1dd420d8554d18a6c74b64b864cec0c5c26341fdca3b033008856e73c01e71a467273d11af5833c4f249965c
-
Filesize
1.4MB
MD5296bb58e53879ff387138af42b40106f
SHA1dc1d17b21ee887d0ff3d289a90eaa6594ab0bae2
SHA256df0bc1bd7d0ee12337b3354c8b6a1e7383a7094b754edd21554e52e5d3a34dc3
SHA512b1cedbb2a249c3405158bb30498bbb76fc69355897258604d5f3aff9e58d82ad328ec73fd1675c769a68afdfe91087edfa6f66b03ba726f5d92b6566396af17a
-
Filesize
2.0MB
MD511b44ee0abebaabb2fb33820f87783f3
SHA1178480a84c0c2b6d3a6a95cf0bddcfa08e27d987
SHA256efb7d74be0b0536a817f6cc6d51ac579e15782cebe1effb3684f653af6e81e3e
SHA512c9a6b343a3c6dd5861291b19f9dc10c58af68fc79ed5a516f18d4e2a5e130ef27a89d253551f30cc31c3f50538a2402e595d93db6587228bac05dda41ec2f2ba