Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
164s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
10/04/2024, 05:28
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
-
Size
1.6MB
-
MD5
78f3a1793ce06093cbba5023d29e650e
-
SHA1
c4d5739de577f3d4715d3f0ff9eda8b8e69f63f8
-
SHA256
948a99a872a34e0d7456de1a4f268b24d82e33ee7e41991b6cb03fdae8242e3a
-
SHA512
ed67a96a9eb2bdf62b1ec6d796aa1f2350fc9c73b8c318f6d21e5b63d60bf4f94364a3b345b1667f3c78bedd48eb8c0192984d1b40bf07f40160b69a5f94c0c6
-
SSDEEP
24576:xPHeMy8QQGeQrRUm7KAd6JtFMGFWwH5iksXSGBwKMDHreO9w7chAdaD38VvhYPjs:tbhSnKAwCWjZmXtgBwpi3Fj5Ngb9
Malware Config
Signatures
-
Executes dropped EXE 47 IoCs
pid Process 464 Process not Found 2300 alg.exe 2720 aspnet_state.exe 3016 mscorsvw.exe 1044 mscorsvw.exe 2780 mscorsvw.exe 616 mscorsvw.exe 2040 ehRecvr.exe 1056 ehsched.exe 2324 elevation_service.exe 1672 IEEtwCollector.exe 1644 mscorsvw.exe 1648 GROOVE.EXE 884 mscorsvw.exe 2224 maintenanceservice.exe 2944 msdtc.exe 2716 msiexec.exe 2180 OSE.EXE 580 OSPPSVC.EXE 1768 perfhost.exe 2892 mscorsvw.exe 1872 locator.exe 2116 snmptrap.exe 2968 vds.exe 2824 vssvc.exe 2632 wbengine.exe 2664 mscorsvw.exe 1764 WmiApSrv.exe 2196 wmpnetwk.exe 1704 mscorsvw.exe 1480 SearchIndexer.exe 2792 mscorsvw.exe 2444 mscorsvw.exe 1388 mscorsvw.exe 1828 mscorsvw.exe 2420 mscorsvw.exe 1628 mscorsvw.exe 1584 mscorsvw.exe 1868 mscorsvw.exe 1244 mscorsvw.exe 1056 mscorsvw.exe 2664 mscorsvw.exe 2040 mscorsvw.exe 944 mscorsvw.exe 2428 mscorsvw.exe 1716 mscorsvw.exe 2340 mscorsvw.exe -
Loads dropped DLL 14 IoCs
pid Process 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 2716 msiexec.exe 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 760 Process not Found -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 17 IoCs
description ioc Process File opened for modification C:\Windows\System32\msdtc.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Windows\system32\locator.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Windows\System32\vds.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\e264c5824501ed38.bin alg.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Windows\system32\IEEtwCollector.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat GROOVE.EXE File opened for modification C:\Windows\System32\alg.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files\Java\jre7\bin\tnameserv.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files\Java\jre7\bin\unpack200.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files\7-Zip\7zG.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files\Java\jre7\bin\ktab.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files\Java\jre7\bin\rmid.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files\DVD Maker\DVDMaker.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files\Java\jre7\bin\javacpl.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe -
Drops file in Windows directory 27 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log mscorsvw.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat mscorsvw.exe File opened for modification C:\Windows\ehome\ehRecvr.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat mscorsvw.exe File opened for modification C:\Windows\ehome\ehsched.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe -
Modifies data under HKEY_USERS 54 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" SearchIndexer.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\ wmpnetwk.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie ehRecvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-304 = "Public Recorded TV" SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health wmpnetwk.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform OSPPSVC.EXE Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000 OSPPSVC.EXE Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{9D2AA601-D83B-482C-B2D4-011350A7A86E} wmpnetwk.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer wmpnetwk.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{9D2AA601-D83B-482C-B2D4-011350A7A86E} wmpnetwk.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7" ehRecvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE ehRec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings GROOVE.EXE Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200005 = "Websites for United States" SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\Software wmpnetwk.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft wmpnetwk.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft ehRecvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824" ehRec.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software ehRecvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000" ehRec.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
pid Process 1480 ehRec.exe 856 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe 856 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe 856 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe 856 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe 856 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe 856 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe 856 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe 856 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe 856 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe 856 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe 856 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe 856 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe 856 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe 856 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe 856 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe 856 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe 856 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe 856 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe 856 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe 856 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe 856 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe 856 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe 856 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe 856 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe 856 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 856 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe Token: SeShutdownPrivilege 2780 mscorsvw.exe Token: SeShutdownPrivilege 616 mscorsvw.exe Token: SeShutdownPrivilege 2780 mscorsvw.exe Token: SeShutdownPrivilege 616 mscorsvw.exe Token: 33 1316 EhTray.exe Token: SeIncBasePriorityPrivilege 1316 EhTray.exe Token: SeShutdownPrivilege 2780 mscorsvw.exe Token: SeShutdownPrivilege 2780 mscorsvw.exe Token: SeShutdownPrivilege 616 mscorsvw.exe Token: SeShutdownPrivilege 616 mscorsvw.exe Token: SeDebugPrivilege 1480 ehRec.exe Token: SeRestorePrivilege 2716 msiexec.exe Token: SeTakeOwnershipPrivilege 2716 msiexec.exe Token: 33 1316 EhTray.exe Token: SeIncBasePriorityPrivilege 1316 EhTray.exe Token: SeSecurityPrivilege 2716 msiexec.exe Token: SeShutdownPrivilege 616 mscorsvw.exe Token: SeBackupPrivilege 2824 vssvc.exe Token: SeRestorePrivilege 2824 vssvc.exe Token: SeAuditPrivilege 2824 vssvc.exe Token: SeBackupPrivilege 2632 wbengine.exe Token: SeRestorePrivilege 2632 wbengine.exe Token: SeSecurityPrivilege 2632 wbengine.exe Token: SeManageVolumePrivilege 1480 SearchIndexer.exe Token: 33 1480 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 1480 SearchIndexer.exe Token: 33 2196 wmpnetwk.exe Token: SeIncBasePriorityPrivilege 2196 wmpnetwk.exe Token: SeShutdownPrivilege 616 mscorsvw.exe Token: SeDebugPrivilege 856 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe Token: SeDebugPrivilege 856 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe Token: SeDebugPrivilege 856 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe Token: SeDebugPrivilege 856 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe Token: SeDebugPrivilege 856 2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe Token: SeShutdownPrivilege 616 mscorsvw.exe Token: SeShutdownPrivilege 616 mscorsvw.exe Token: SeShutdownPrivilege 616 mscorsvw.exe Token: SeShutdownPrivilege 616 mscorsvw.exe Token: SeShutdownPrivilege 616 mscorsvw.exe Token: SeShutdownPrivilege 616 mscorsvw.exe Token: SeShutdownPrivilege 616 mscorsvw.exe Token: SeShutdownPrivilege 616 mscorsvw.exe Token: SeShutdownPrivilege 616 mscorsvw.exe Token: SeShutdownPrivilege 616 mscorsvw.exe Token: SeShutdownPrivilege 616 mscorsvw.exe Token: SeShutdownPrivilege 616 mscorsvw.exe Token: SeShutdownPrivilege 616 mscorsvw.exe Token: SeShutdownPrivilege 616 mscorsvw.exe Token: SeShutdownPrivilege 616 mscorsvw.exe Token: SeShutdownPrivilege 616 mscorsvw.exe Token: SeShutdownPrivilege 616 mscorsvw.exe Token: SeShutdownPrivilege 616 mscorsvw.exe Token: SeShutdownPrivilege 616 mscorsvw.exe Token: SeShutdownPrivilege 616 mscorsvw.exe Token: SeShutdownPrivilege 616 mscorsvw.exe Token: SeShutdownPrivilege 616 mscorsvw.exe Token: SeShutdownPrivilege 616 mscorsvw.exe Token: SeShutdownPrivilege 616 mscorsvw.exe Token: SeShutdownPrivilege 616 mscorsvw.exe Token: SeShutdownPrivilege 616 mscorsvw.exe Token: SeShutdownPrivilege 616 mscorsvw.exe Token: SeShutdownPrivilege 616 mscorsvw.exe Token: SeShutdownPrivilege 616 mscorsvw.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1316 EhTray.exe 1316 EhTray.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 1316 EhTray.exe 1316 EhTray.exe -
Suspicious use of SetWindowsHookEx 11 IoCs
pid Process 2492 SearchProtocolHost.exe 2492 SearchProtocolHost.exe 2492 SearchProtocolHost.exe 2492 SearchProtocolHost.exe 2492 SearchProtocolHost.exe 2044 SearchProtocolHost.exe 2044 SearchProtocolHost.exe 2044 SearchProtocolHost.exe 2044 SearchProtocolHost.exe 2044 SearchProtocolHost.exe 2044 SearchProtocolHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 616 wrote to memory of 1644 616 mscorsvw.exe 40 PID 616 wrote to memory of 1644 616 mscorsvw.exe 40 PID 616 wrote to memory of 1644 616 mscorsvw.exe 40 PID 616 wrote to memory of 884 616 mscorsvw.exe 42 PID 616 wrote to memory of 884 616 mscorsvw.exe 42 PID 616 wrote to memory of 884 616 mscorsvw.exe 42 PID 2780 wrote to memory of 2892 2780 mscorsvw.exe 51 PID 2780 wrote to memory of 2892 2780 mscorsvw.exe 51 PID 2780 wrote to memory of 2892 2780 mscorsvw.exe 51 PID 2780 wrote to memory of 2892 2780 mscorsvw.exe 51 PID 2780 wrote to memory of 2664 2780 mscorsvw.exe 57 PID 2780 wrote to memory of 2664 2780 mscorsvw.exe 57 PID 2780 wrote to memory of 2664 2780 mscorsvw.exe 57 PID 2780 wrote to memory of 2664 2780 mscorsvw.exe 57 PID 2780 wrote to memory of 1704 2780 mscorsvw.exe 60 PID 2780 wrote to memory of 1704 2780 mscorsvw.exe 60 PID 2780 wrote to memory of 1704 2780 mscorsvw.exe 60 PID 2780 wrote to memory of 1704 2780 mscorsvw.exe 60 PID 1480 wrote to memory of 2492 1480 SearchIndexer.exe 62 PID 1480 wrote to memory of 2492 1480 SearchIndexer.exe 62 PID 1480 wrote to memory of 2492 1480 SearchIndexer.exe 62 PID 1480 wrote to memory of 1152 1480 SearchIndexer.exe 63 PID 1480 wrote to memory of 1152 1480 SearchIndexer.exe 63 PID 1480 wrote to memory of 1152 1480 SearchIndexer.exe 63 PID 2780 wrote to memory of 2792 2780 mscorsvw.exe 64 PID 2780 wrote to memory of 2792 2780 mscorsvw.exe 64 PID 2780 wrote to memory of 2792 2780 mscorsvw.exe 64 PID 2780 wrote to memory of 2792 2780 mscorsvw.exe 64 PID 2780 wrote to memory of 2444 2780 mscorsvw.exe 65 PID 2780 wrote to memory of 2444 2780 mscorsvw.exe 65 PID 2780 wrote to memory of 2444 2780 mscorsvw.exe 65 PID 2780 wrote to memory of 2444 2780 mscorsvw.exe 65 PID 1480 wrote to memory of 2044 1480 SearchIndexer.exe 66 PID 1480 wrote to memory of 2044 1480 SearchIndexer.exe 66 PID 1480 wrote to memory of 2044 1480 SearchIndexer.exe 66 PID 2780 wrote to memory of 1388 2780 mscorsvw.exe 67 PID 2780 wrote to memory of 1388 2780 mscorsvw.exe 67 PID 2780 wrote to memory of 1388 2780 mscorsvw.exe 67 PID 2780 wrote to memory of 1388 2780 mscorsvw.exe 67 PID 2780 wrote to memory of 1828 2780 mscorsvw.exe 68 PID 2780 wrote to memory of 1828 2780 mscorsvw.exe 68 PID 2780 wrote to memory of 1828 2780 mscorsvw.exe 68 PID 2780 wrote to memory of 1828 2780 mscorsvw.exe 68 PID 2780 wrote to memory of 2420 2780 mscorsvw.exe 69 PID 2780 wrote to memory of 2420 2780 mscorsvw.exe 69 PID 2780 wrote to memory of 2420 2780 mscorsvw.exe 69 PID 2780 wrote to memory of 2420 2780 mscorsvw.exe 69 PID 2780 wrote to memory of 1628 2780 mscorsvw.exe 70 PID 2780 wrote to memory of 1628 2780 mscorsvw.exe 70 PID 2780 wrote to memory of 1628 2780 mscorsvw.exe 70 PID 2780 wrote to memory of 1628 2780 mscorsvw.exe 70 PID 2780 wrote to memory of 1584 2780 mscorsvw.exe 71 PID 2780 wrote to memory of 1584 2780 mscorsvw.exe 71 PID 2780 wrote to memory of 1584 2780 mscorsvw.exe 71 PID 2780 wrote to memory of 1584 2780 mscorsvw.exe 71 PID 2780 wrote to memory of 1868 2780 mscorsvw.exe 72 PID 2780 wrote to memory of 1868 2780 mscorsvw.exe 72 PID 2780 wrote to memory of 1868 2780 mscorsvw.exe 72 PID 2780 wrote to memory of 1868 2780 mscorsvw.exe 72 PID 2780 wrote to memory of 1244 2780 mscorsvw.exe 73 PID 2780 wrote to memory of 1244 2780 mscorsvw.exe 73 PID 2780 wrote to memory of 1244 2780 mscorsvw.exe 73 PID 2780 wrote to memory of 1244 2780 mscorsvw.exe 73 PID 2780 wrote to memory of 1056 2780 mscorsvw.exe 74 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:856
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2300
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe1⤵
- Executes dropped EXE
PID:2720
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3016
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1044
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2892
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2664
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 258 -NGENProcess 248 -Pipe 244 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1704
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 1a8 -NGENProcess 250 -Pipe 254 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2792
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1a8 -InterruptEvent 23c -NGENProcess 1d0 -Pipe 248 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2444
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 260 -NGENProcess 1ec -Pipe 1a8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1388
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 238 -NGENProcess 240 -Pipe 1d4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1828
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 180 -InterruptEvent 1d0 -NGENProcess 264 -Pipe 25c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2420
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1ec -NGENProcess 268 -Pipe 180 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1628
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 240 -NGENProcess 26c -Pipe 258 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1584
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 274 -NGENProcess 268 -Pipe 270 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1868
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 250 -NGENProcess 27c -Pipe 240 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1244
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 238 -NGENProcess 280 -Pipe 278 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1056
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 24c -NGENProcess 27c -Pipe 260 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2664
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 23c -NGENProcess 288 -Pipe 238 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2040
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 23c -NGENProcess 284 -Pipe 27c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:944
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 290 -NGENProcess 288 -Pipe 264 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2428
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 280 -NGENProcess 288 -Pipe 294 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1716
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 2a4 -NGENProcess 284 -Pipe 2a0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2340
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:616 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1644
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:884
-
-
C:\Windows\ehome\ehRecvr.exeC:\Windows\ehome\ehRecvr.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2040
-
C:\Windows\ehome\ehsched.exeC:\Windows\ehome\ehsched.exe1⤵
- Executes dropped EXE
PID:1056
-
C:\Windows\eHome\EhTray.exe"C:\Windows\eHome\EhTray.exe" /nav:-21⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1316
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2324
-
C:\Windows\ehome\ehRec.exeC:\Windows\ehome\ehRec.exe -Embedding1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1480
-
C:\Windows\system32\IEEtwCollector.exeC:\Windows\system32\IEEtwCollector.exe /V1⤵
- Executes dropped EXE
PID:1672
-
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1648
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:2224
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2944
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2716
-
C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:2180
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:580
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:1768
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:1872
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:2116
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:2968
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2824
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2632
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:1764
-
C:\Program Files\Windows Media Player\wmpnetwk.exe"C:\Program Files\Windows Media Player\wmpnetwk.exe"1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2196
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3787592910-3720486031-2929222812-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3787592910-3720486031-2929222812-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"2⤵
- Suspicious use of SetWindowsHookEx
PID:2492
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 5962⤵PID:1152
-
-
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2044
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.6MB
MD52035fb666d604e1b404b45ca0d134b83
SHA1aeb204371a2f5ee574ae74d086a529fde96c8b77
SHA25622ab78079e2d72e513057a746fff72088045e74041a72a3e36eb98917bc78832
SHA512e7d6c7492ba0b40808108880599e0f50a86bdf20d394570013aa13472eb4f004775dcfeb8e370a90872a9a56cbe5800ed63f06b0e668425eab5e048a83ca44dc
-
Filesize
30.1MB
MD5f4b022bd6f7b913fb2ab2a06832e0240
SHA1a2dca84cf236acf0d398cdd1f93543f0f179a18d
SHA256b3dc3a2b35bde4668166857a2f7993b69f8c048853a60bd70dfc1a9a160d0347
SHA5127ea9bc39c41269cf67290b024a12b15f3fbd175de14132dcace98c190206948afe1991921d9e80d88a64cd3c0018447c81363e3943d674e57285a8a47ab7e6d4
-
Filesize
1.7MB
MD5e7a9e7e37baa14e0c2c6614acf0eeb23
SHA185beec8e4c1a875e4e5b4223a6c2861303298e7d
SHA256dc694847d72df3bfd4be118becbf68205821af2a1b03df6159a5f1290a451c12
SHA512d6f5304f3f31414831dffd9b62907bb47c2ae132f7ffdbb968c09788b3709719b4fa0297549275188563e246e9f3735b1dbd93169f4815adba2400e5060dfe82
-
Filesize
5.2MB
MD525937a377762326f880b26dd53d3a5a9
SHA19b1d5de88d8c0d15949420000aa9cfd360a4b96d
SHA256841c64bf6be523c636fe2238d7cfc5852abb81aac4f63e68963d11f889dd9062
SHA5120ef128f4260553c33fd290cdeb53fe86ec7ee6ee4e3ad5a12eec39fec25d0b7077bcf47c8895db57bb3c7d70bacde5218116dec144d38bce2e88518f1d05ee23
-
Filesize
2.1MB
MD5213dc139614cc643696992ea9c581cbf
SHA1c6963bf0053797014a7201a51a551778576edd9d
SHA256db15c4336de1d1551834e698b837e8f0ae2c04720d4ce4ba702243e5231c099a
SHA5121434f3d4750fa7b76454a6b746fb46645aecbe51875f734c5a9812899819745a67d32b88ab5a55b2b22201140ba0b14166c3d0a716d4ac1af3af81fef552dd63
-
Filesize
1024KB
MD540077e58c61fad92519e140e0dc34022
SHA12cce66177530344f88e37eb84f0043be701bf444
SHA2566e3868949a3dc1443296f14a96c93c58e3b50bfc4b177f37ac0b233ed8baa1f0
SHA51220e5128d8533a27568aacd900a58a947cbbce92dbd1bac8dce44871d1f7edb57b8d303c21c1b9945e386bb42265c48ed32347b3f4b275e0dd835c30eab2f662f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms
Filesize24B
MD5b9bd716de6739e51c620f2086f9c31e4
SHA19733d94607a3cba277e567af584510edd9febf62
SHA2567116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312
SHA512cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478
-
Filesize
872KB
MD525176c043f00a01a1b4407149e53a050
SHA1943830e672cf7c62fa42957eac5627ab270a8a71
SHA256fe494844fde132fefd15eae656db694a046d8c09b757f49930b432493d68202a
SHA512e63a3e5aa6176d174ef2b7dac2cdcec943de3bd22edce8c9a8af87ad2a16799c4a6a7fcf731cafc67809cbb2c60e667469e13cfa4683ff6d7ad0c8617a500145
-
Filesize
1.6MB
MD5d20553a998aa6252a011b24694f507c4
SHA1e74cb7b78fed34c7e55bd3edb979ac8bcb1db26f
SHA256a528f373a316b5adbe0236e3f380c648f607d2e5185c3f18459d702f4d0197f6
SHA5124a4dc76abc7a6b95735337a305e7258c401936fa2f3298448d2904b055b5b19d90efa3d40c04c7caab07bbd9b327ade31b55dcb8d38df3cec754766137afbb83
-
Filesize
1.6MB
MD554aa7d416f0488581274f5ec16515db1
SHA1d3d3942fab80e6769773a862fc76ff33ec87d1f8
SHA256d55f998b8a96c588b5d4bf3873d0f4cc7550e5fa2dc31d336ca809c575acaeb2
SHA512d9029a8eed802d6dce28a8f4419d91e6e033b148247692a327823c242332fb42d831be7eac4f1e432ec2b69038d39a2e0b3f7e901f121ed57c0382da2fd43f59
-
Filesize
1003KB
MD5e63e3768f6cd7cd1f4742c19c32d1c6d
SHA12e1c91e28f1723868f1c104ca296cc3edb3c6fd4
SHA25601dc3dfa34c599a47b32380e6ddb81e0393b3926098e62f850b518e5fc0f2594
SHA51284b5f2e7a2348dfaee280400bef8166d54141348db8e1c6c4300489a067e5a94287c7cd4dd398cafbeb124d119fbd2a2cc4f98cf0f245dc96c4d286336f9ce84
-
Filesize
1.6MB
MD50d8f0c80380fc1fcf990713343a95e49
SHA19f762750ebfa8643c3e24134f068e9d5ef38814f
SHA256b8a4fbc285a12943630e5612ea6ad350572c961e211736238867860b445a7d96
SHA5124324f165741abfadffff6064fca1338572915df23ff296e5b89e4b8f6e5f0503389d2df42bfebe799c37efccfaf426371649cae21b55a9ff8f8318b1da978ed7
-
Filesize
1.5MB
MD5a49c5600346d36518024981ceb40f6e0
SHA1e58a08ddc57e80b0b133ca25683b22807cf42053
SHA25672a357b630fdf524eccb97d5d7d3142d38b6876e02f04491df5217c99d71a0d8
SHA51260ed4f64b602b7a425a2d15c4dd5ef788701209e1212c3d4079c07cced42a82945f42348e6dec7a6abb25b19a18a46e969f3303506b997164bae288d1306b5f4
-
Filesize
1.1MB
MD586f9df05cf1b99c14e9bb8da6ca9bf39
SHA1e39aacf37ca58f79bcc1b6a67a601c07a99baea3
SHA2562790e07c4de813a4805ee196e50917909dfb359c62e5762c89080541b970f85c
SHA5127426eb726e243b5f11b54607fd4300d005f224a7078b8892792bca3dc516cf887de513fd4c19a850ab76b1f2dcfb359427f02e12168a7a6837262df898e8e23a
-
Filesize
2.1MB
MD5759ee1d71cc823cacf98edd0dee034c8
SHA1b2df11f66d31c092ab43adcf6f36005e4922cb61
SHA25621815f3917553b7bfbc353c2b9716e6e1c708fa28fec349e4e5ff370706dd717
SHA51239d710af26b282a021f32dab4cf5c50a5aa681e70bf23afdfa7b05fa30b77b0b5ac5b8db91ec0ce5c2fd4f68bea126fc14fde6f5d9833dd7c499ab5a20793361
-
Filesize
1.6MB
MD52222bdd702574f106d09352b8d3f9c14
SHA1f59a74017290972a7e2f4af55a156ce6467ae2c1
SHA2566d7df0fb4bfb00085b2aa40309bdfaf57bcfdc98aff8961d2022d9e97b11f031
SHA5126c2ec3b38079e6f0abd8799db7c72fedda57fbf31ddf3dbd8a9782940317231035389187791b3b0ec2edc1d90febfb946226e14b78f0808a88ebdbf6aab33a1f
-
Filesize
2.0MB
MD54cb35b9e149e2a852430825f3ab4bd4c
SHA11c525fc8e58619c0bb55b1ee56f632bd94848881
SHA25675f516a7c09c56d0f33a034ccc92e897b0df7fa4fade644c784dff5aedd88238
SHA51228dbfabc2248234485abeddc6ac2b045eb6dbee5fbc570f91b1c5bf40dc6ac0f50d51aa04349f4213865c4fcb44e459c9d86aed5856e68343c9544c7a4df2a2b
-
Filesize
2.0MB
MD5e39dfc41ec5c1d5a284a3b16a7edde3a
SHA1b11a44ffe192a84ce59dfa7e7485995b885f5060
SHA256f2714dd4f107d33fd9dd12696b8e1c4b37c71a1cbc9ba6a1c306a75072a2f05e
SHA51289a4acc0ae3fa1de144c584c1c93b7628f15615d3b2577c542e778e2e9e992d03766e24f275ebf9d9275ca7172212755c00a666fc1f1d14ba55f3995bd1508ba
-
Filesize
2.0MB
MD58336767d5f308cf9fc1c8e128728793c
SHA185228fcfd30b23eafce0d0ae60e0ff5716c21868
SHA25624d391c03ca0cfa45e5986b783c42b504f5451f885b51459b47e8aa4aadddeb9
SHA5120658982a828acde9cb7abcd2303b849d6766e5552d9fa05bdbe2cc2d369d8ce46fbe0f68d21db7874f93e9cbfbf6e0ceeaa0f8ed285a6cd0eab1bdd451f341fa
-
Filesize
1.6MB
MD521aae6d80f226067b943c7c957d0f2ff
SHA19035c13f4f8c551d74f29b2d964756f6e1eeee90
SHA25678e1ba76d1daac92f73a9476ccc1e01ea8e0ec4b3749aca553799e69b17ca956
SHA512f042fa9af79dbdfab10bebcc4599c2010c4ac7b22fed8dfe6aa919775fed1bea9d080b3dd1d699f9bf362df79423fe3861f752ef0d668399189a2830d3dc2a10
-
Filesize
1.5MB
MD569c766577e92fc6162371245b5889450
SHA1f341cf225fce27895ddcbf446edb7527351b27ae
SHA2560dcd26c0e4110bc1e7fcde0ae3522dda9d40c8ae7d1a17b962de4cf8849b2d29
SHA512c1ef3322bad34a33a9debb0bd90baad2c544d7a50cf296fc0f7c4ac914426ff05dd8119ca5f519f6c3434e2108483402c0369fe8e19c4288f9ec37205753d965
-
Filesize
1.5MB
MD588c88f516de123564b7b5782282ddcc3
SHA11b797ea00be1dfb78aff2b9d54fb74fdf337b85e
SHA2561bd5d4725a81317a7d5206fdfc76b15e84f85ddebdedf2748c04cfb961cf1617
SHA512384b81096db995eeddc39023310fac3877067a6b9093530b0bf37ea05a2758ffc5584f1d6220c7c75225e2916b2b68a6b54f4bc4639e5c9be28c3979b2bfc618
-
Filesize
1.6MB
MD54926f7db7555bafbb33adcbba5047b30
SHA189e5059cc91514d5e06cf036f1130d63838a2f7a
SHA2565e7e051ab407d55dfed9ea8c6b4c22a52c9d6ce68ee34345e71cf9371954dfa9
SHA512b9f7e36d58ef8cacca193c3cd6ea54076ba9d982e382ca13d4d9db9c4c267f305e7cd830aeeb560e1ab95d7a3598e176448e3e517c6af58fa11053dcc859bda3
-
Filesize
1.6MB
MD57400b40f0eb408ed074ae1f80f40eeda
SHA15df4dc44a187e09e937d5cf624c2240eaee1793d
SHA256ee439a09dd94fe47c2dbbee6fa1fb3865b0c734732f57fedea90515a22cae3ec
SHA51262313524e1bb8c3ff0247103b4de357fcf5e5994f22a98e9e4920ca04614258776904750f1250023d10abf9db6977e5651bcb10cb1e1cc5f9a40029852436ae1
-
Filesize
1.6MB
MD5bfd51349bad6bd2116261922cbb6e64f
SHA13c2becfd1d19e917707790609089d76edb3afdfd
SHA25680e192ff2752c332b1a953ef785daab3bf791d74ec249455fd1c0c95be136ab3
SHA5125afca0eea5116c1b1b967cbc7abc8c725fd1037c4ca2478a61adc448d3a79b92d6fb4e89cf0da2a879d2675b1c3d90f546fbd84e3b6bd51727eaa1710d93f021
-
Filesize
1.5MB
MD5a703306629010280e61fed628001dba0
SHA189ad48f784c1b9c76fd01f558e17786063622d57
SHA256f1b8a673532e2526af4d76cd140e6b07866e22746f9fb5a924247dea239f3c85
SHA512372eb65cdea407e9261bc30a01b0dbbc321055fc599226ed52b4c4bc36f6fd0714bd4827642927081d0494cd54aca90c52d9132850dcf487130e3c5174c09085
-
Filesize
1.7MB
MD576b35da95e6c959480028a0d4964dbae
SHA13966df9e4d81856d019e2d509170dc9163a30193
SHA256c6438f322f7b6785c06480d8d6fb9051c1c09b8127d38d6a4986fcdc032876ac
SHA5124cc2deeacebd5d2e571beeb713cc95a16f43613b663a2e9ee13009c746089a3846bfe2ae533e4af50fe92e30254671c33b4e55184badfe4f937eb8982dad40b3
-
Filesize
1.2MB
MD5c652cd89bd40b7e61597a80b08dc42d5
SHA1c7c382e17694b968c3a682d9108085cff8ba3fb0
SHA256254e820367bd1bfaf630619b6da35deab26f52edfeb5b2eb66da76b9ea2e5990
SHA5121bb32568a718b4c0a08bc62c2b13daaf8abab7151b5e59a3769872cb05ec07c832ec1a3d5591859746591a4efaa5096965d034e334fb7b7ff8519f779d80cdc9
-
Filesize
1.6MB
MD54c6e598b3804103f10877a24c795f22e
SHA1427f115fc3f57d95f83c860de4d51026e4f3a5fc
SHA25623c661f284beb90d969360bb56a23fb01359d67530baca7e17a069f6aeab798b
SHA512801022b4d6953e1b7028bd1cbe816698c030859b5840843636cde2792407405d12dc6f334d92a30237b43a70f5addcbf1e39465173cb0da271d9acfaf35e8e72