Analysis
-
max time kernel
110s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
29-05-2024 15:18
Static task
static1
Behavioral task
behavioral1
Sample
2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe
Resource
win7-20240508-en
General
-
Target
2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe
-
Size
5.3MB
-
MD5
e9d2095fecf3cbe693cdf24316f02c2e
-
SHA1
37d430bf884e5965b53cce09a21d9a71719b548f
-
SHA256
7123f88b0143e0d6e445d0f9b3fe68150622b151b2dc0802676fd886bb7f4391
-
SHA512
a653588f10122205c901b966ed15177527f1d4672434172129174898c7818226322f91d2275f5af1939487093c60fdd81cc75fec1c4b0de2dd4974b97248ef2f
-
SSDEEP
98304:EZJt4HINy2LkFlqJkdmBucaT57KFC4qJ31B0G0c5S2uf+bGhN:qiINy2LkF82dV7VKCtj0QufMg
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1736-7-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/1736-12-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/1736-8-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/2480-18-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/2480-24-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/2712-32-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/2712-34-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/2712-38-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/2712-72-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 9 IoCs
Processes:
resource yara_rule behavioral1/memory/1736-7-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/1736-12-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/1736-8-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/2480-18-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/2480-24-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/2712-32-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/2712-34-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/2712-38-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/2712-72-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat -
UPX dump on OEP (original entry point) 10 IoCs
Processes:
resource yara_rule behavioral1/memory/1736-5-0x0000000010000000-0x00000000101B6000-memory.dmp UPX behavioral1/memory/1736-7-0x0000000010000000-0x00000000101B6000-memory.dmp UPX behavioral1/memory/1736-12-0x0000000010000000-0x00000000101B6000-memory.dmp UPX behavioral1/memory/1736-8-0x0000000010000000-0x00000000101B6000-memory.dmp UPX behavioral1/memory/2480-18-0x0000000010000000-0x00000000101B6000-memory.dmp UPX behavioral1/memory/2480-24-0x0000000010000000-0x00000000101B6000-memory.dmp UPX behavioral1/memory/2712-32-0x0000000010000000-0x00000000101B6000-memory.dmp UPX behavioral1/memory/2712-34-0x0000000010000000-0x00000000101B6000-memory.dmp UPX behavioral1/memory/2712-38-0x0000000010000000-0x00000000101B6000-memory.dmp UPX behavioral1/memory/2712-72-0x0000000010000000-0x00000000101B6000-memory.dmp UPX -
Drops file in Drivers directory 1 IoCs
Processes:
TXPlatforn.exedescription ioc process File created C:\Windows\system32\drivers\QAssist.sys TXPlatforn.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
TXPlatforn.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" TXPlatforn.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
steamwebhelper.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\International\Geo\Nation steamwebhelper.exe Key value queried \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\International\Geo\Nation steamwebhelper.exe Key value queried \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\International\Geo\Nation steamwebhelper.exe Key value queried \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\International\Geo\Nation steamwebhelper.exe -
Executes dropped EXE 26 IoCs
Processes:
RVN.exeTXPlatforn.exeTXPlatforn.exeHD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exeHD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exegldriverquery64.exegldriverquery.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exevulkandriverquery64.exevulkandriverquery.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exepid process 1736 RVN.exe 2480 TXPlatforn.exe 2712 TXPlatforn.exe 2660 HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe 1700 HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe 1268 steamwebhelper.exe 712 steamwebhelper.exe 2988 steamwebhelper.exe 2560 gldriverquery64.exe 2568 gldriverquery.exe 2532 steamwebhelper.exe 1092 steamwebhelper.exe 2228 steamwebhelper.exe 876 steamwebhelper.exe 1788 vulkandriverquery64.exe 1800 vulkandriverquery.exe 1544 steamwebhelper.exe 3008 steamwebhelper.exe 1120 steamwebhelper.exe 1184 steamwebhelper.exe 2104 steamwebhelper.exe 1956 steamwebhelper.exe 2804 steamwebhelper.exe 2572 steamwebhelper.exe 1500 steamwebhelper.exe 1192 steamwebhelper.exe -
Loads dropped DLL 64 IoCs
Processes:
2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exeTXPlatforn.exeHD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exeHD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exepid process 2036 2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe 2480 TXPlatforn.exe 2036 2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe 2660 HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe 1700 HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe 1700 HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe 1700 HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe 1700 HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe 1700 HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe 1700 HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe 1700 HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe 1700 HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe 1700 HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe 1700 HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe 1700 HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe 1700 HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe 1700 HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe 1700 HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe 1700 HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe 1700 HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe 1268 steamwebhelper.exe 1268 steamwebhelper.exe 1268 steamwebhelper.exe 1268 steamwebhelper.exe 1268 steamwebhelper.exe 712 steamwebhelper.exe 712 steamwebhelper.exe 712 steamwebhelper.exe 1268 steamwebhelper.exe 2988 steamwebhelper.exe 2988 steamwebhelper.exe 2988 steamwebhelper.exe 1700 HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe 2988 steamwebhelper.exe 2988 steamwebhelper.exe 2988 steamwebhelper.exe 1700 HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe 1700 HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe 1700 HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe 1700 HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe 1268 steamwebhelper.exe 2532 steamwebhelper.exe 2532 steamwebhelper.exe 2532 steamwebhelper.exe 2532 steamwebhelper.exe 2532 steamwebhelper.exe 2532 steamwebhelper.exe 1268 steamwebhelper.exe 1268 steamwebhelper.exe 1092 steamwebhelper.exe 1092 steamwebhelper.exe 1092 steamwebhelper.exe 2228 steamwebhelper.exe 2228 steamwebhelper.exe 2228 steamwebhelper.exe 1268 steamwebhelper.exe 876 steamwebhelper.exe 876 steamwebhelper.exe 876 steamwebhelper.exe 876 steamwebhelper.exe 1700 HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe 1700 HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe 1700 HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe 1700 HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe -
Processes:
resource yara_rule behavioral1/memory/1736-5-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/1736-7-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/1736-12-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/1736-8-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2480-18-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2480-24-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2712-32-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2712-34-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2712-38-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2712-72-0x0000000010000000-0x00000000101B6000-memory.dmp upx -
Drops file in System32 directory 2 IoCs
Processes:
RVN.exedescription ioc process File created C:\Windows\SysWOW64\TXPlatforn.exe RVN.exe File opened for modification C:\Windows\SysWOW64\TXPlatforn.exe RVN.exe -
Drops file in Program Files directory 4 IoCs
Processes:
2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exedescription ioc process File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe 2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe 2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe 2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe File created C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1928 1700 WerFault.exe HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe -
Checks processor information in registry 2 TTPs 7 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
steamwebhelper.exeHD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exeHD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 steamwebhelper.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz steamwebhelper.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe -
Processes:
HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exeHD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exeHD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exepid process 2036 2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe 1700 HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe 1700 HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe 1700 HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe 1700 HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe 1700 HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe 1700 HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe 1700 HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe 1700 HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe 1700 HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe 1700 HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe 1700 HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe 1700 HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe 1700 HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe 1700 HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe 1700 HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe 1700 HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe 1700 HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe 1700 HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe 1700 HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe 1700 HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe 1700 HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe 1700 HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe 1700 HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe 1700 HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe 1700 HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe 1700 HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe 1700 HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe 1700 HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe 1700 HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe 1700 HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe 1700 HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe 1700 HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe 1700 HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe 1700 HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe 1700 HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe 1700 HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe 1700 HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe 1700 HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe 1700 HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe 1700 HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe 1700 HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe 1700 HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe 1700 HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe 1700 HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe 1700 HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe 1700 HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe 1700 HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe 1700 HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe 1700 HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe 1700 HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe 1700 HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe 1700 HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe 1700 HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe 1700 HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe 1700 HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe 1700 HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe 1700 HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe 1700 HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe 1700 HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe 1700 HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe 1700 HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe 1700 HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe 1700 HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exepid process 1700 HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
TXPlatforn.exepid process 2712 TXPlatforn.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
Processes:
RVN.exeTXPlatforn.exesteamwebhelper.exesteamwebhelper.exedescription pid process Token: SeIncBasePriorityPrivilege 1736 RVN.exe Token: SeLoadDriverPrivilege 2712 TXPlatforn.exe Token: 33 2712 TXPlatforn.exe Token: SeIncBasePriorityPrivilege 2712 TXPlatforn.exe Token: SeShutdownPrivilege 1268 steamwebhelper.exe Token: SeShutdownPrivilege 1268 steamwebhelper.exe Token: SeShutdownPrivilege 1268 steamwebhelper.exe Token: SeShutdownPrivilege 1268 steamwebhelper.exe Token: SeShutdownPrivilege 1120 steamwebhelper.exe Token: SeShutdownPrivilege 1120 steamwebhelper.exe Token: SeShutdownPrivilege 1120 steamwebhelper.exe Token: SeShutdownPrivilege 1120 steamwebhelper.exe Token: SeShutdownPrivilege 1120 steamwebhelper.exe Token: SeShutdownPrivilege 1120 steamwebhelper.exe Token: SeShutdownPrivilege 1120 steamwebhelper.exe Token: SeShutdownPrivilege 1120 steamwebhelper.exe Token: SeShutdownPrivilege 1120 steamwebhelper.exe Token: SeShutdownPrivilege 1120 steamwebhelper.exe Token: SeShutdownPrivilege 1120 steamwebhelper.exe Token: SeShutdownPrivilege 1120 steamwebhelper.exe Token: SeShutdownPrivilege 1120 steamwebhelper.exe Token: SeShutdownPrivilege 1120 steamwebhelper.exe Token: SeShutdownPrivilege 1120 steamwebhelper.exe Token: SeShutdownPrivilege 1120 steamwebhelper.exe Token: SeShutdownPrivilege 1120 steamwebhelper.exe Token: SeShutdownPrivilege 1120 steamwebhelper.exe Token: SeShutdownPrivilege 1120 steamwebhelper.exe Token: SeShutdownPrivilege 1120 steamwebhelper.exe -
Suspicious use of FindShellTrayWindow 23 IoCs
Processes:
steamwebhelper.exepid process 1120 steamwebhelper.exe 1120 steamwebhelper.exe 1120 steamwebhelper.exe 1120 steamwebhelper.exe 1120 steamwebhelper.exe 1120 steamwebhelper.exe 1120 steamwebhelper.exe 1120 steamwebhelper.exe 1120 steamwebhelper.exe 1120 steamwebhelper.exe 1120 steamwebhelper.exe 1120 steamwebhelper.exe 1120 steamwebhelper.exe 1120 steamwebhelper.exe 1120 steamwebhelper.exe 1120 steamwebhelper.exe 1120 steamwebhelper.exe 1120 steamwebhelper.exe 1120 steamwebhelper.exe 1120 steamwebhelper.exe 1120 steamwebhelper.exe 1120 steamwebhelper.exe 1120 steamwebhelper.exe -
Suspicious use of SendNotifyMessage 20 IoCs
Processes:
steamwebhelper.exepid process 1120 steamwebhelper.exe 1120 steamwebhelper.exe 1120 steamwebhelper.exe 1120 steamwebhelper.exe 1120 steamwebhelper.exe 1120 steamwebhelper.exe 1120 steamwebhelper.exe 1120 steamwebhelper.exe 1120 steamwebhelper.exe 1120 steamwebhelper.exe 1120 steamwebhelper.exe 1120 steamwebhelper.exe 1120 steamwebhelper.exe 1120 steamwebhelper.exe 1120 steamwebhelper.exe 1120 steamwebhelper.exe 1120 steamwebhelper.exe 1120 steamwebhelper.exe 1120 steamwebhelper.exe 1120 steamwebhelper.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exeHD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exepid process 2036 2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe 2036 2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe 1700 HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exeRVN.exeTXPlatforn.execmd.exeHD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exeHD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exesteamwebhelper.exedescription pid process target process PID 2036 wrote to memory of 1736 2036 2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe RVN.exe PID 2036 wrote to memory of 1736 2036 2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe RVN.exe PID 2036 wrote to memory of 1736 2036 2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe RVN.exe PID 2036 wrote to memory of 1736 2036 2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe RVN.exe PID 2036 wrote to memory of 1736 2036 2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe RVN.exe PID 2036 wrote to memory of 1736 2036 2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe RVN.exe PID 2036 wrote to memory of 1736 2036 2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe RVN.exe PID 1736 wrote to memory of 2648 1736 RVN.exe cmd.exe PID 1736 wrote to memory of 2648 1736 RVN.exe cmd.exe PID 1736 wrote to memory of 2648 1736 RVN.exe cmd.exe PID 1736 wrote to memory of 2648 1736 RVN.exe cmd.exe PID 2480 wrote to memory of 2712 2480 TXPlatforn.exe TXPlatforn.exe PID 2480 wrote to memory of 2712 2480 TXPlatforn.exe TXPlatforn.exe PID 2480 wrote to memory of 2712 2480 TXPlatforn.exe TXPlatforn.exe PID 2480 wrote to memory of 2712 2480 TXPlatforn.exe TXPlatforn.exe PID 2480 wrote to memory of 2712 2480 TXPlatforn.exe TXPlatforn.exe PID 2480 wrote to memory of 2712 2480 TXPlatforn.exe TXPlatforn.exe PID 2480 wrote to memory of 2712 2480 TXPlatforn.exe TXPlatforn.exe PID 2036 wrote to memory of 2660 2036 2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe PID 2036 wrote to memory of 2660 2036 2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe PID 2036 wrote to memory of 2660 2036 2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe PID 2036 wrote to memory of 2660 2036 2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe PID 2648 wrote to memory of 2688 2648 cmd.exe PING.EXE PID 2648 wrote to memory of 2688 2648 cmd.exe PING.EXE PID 2648 wrote to memory of 2688 2648 cmd.exe PING.EXE PID 2648 wrote to memory of 2688 2648 cmd.exe PING.EXE PID 2660 wrote to memory of 1700 2660 HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe PID 2660 wrote to memory of 1700 2660 HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe PID 2660 wrote to memory of 1700 2660 HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe PID 2660 wrote to memory of 1700 2660 HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe PID 1700 wrote to memory of 1268 1700 HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe steamwebhelper.exe PID 1700 wrote to memory of 1268 1700 HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe steamwebhelper.exe PID 1700 wrote to memory of 1268 1700 HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe steamwebhelper.exe PID 1700 wrote to memory of 1268 1700 HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe steamwebhelper.exe PID 1268 wrote to memory of 712 1268 steamwebhelper.exe steamwebhelper.exe PID 1268 wrote to memory of 712 1268 steamwebhelper.exe steamwebhelper.exe PID 1268 wrote to memory of 712 1268 steamwebhelper.exe steamwebhelper.exe PID 1268 wrote to memory of 2988 1268 steamwebhelper.exe steamwebhelper.exe PID 1268 wrote to memory of 2988 1268 steamwebhelper.exe steamwebhelper.exe PID 1268 wrote to memory of 2988 1268 steamwebhelper.exe steamwebhelper.exe PID 1268 wrote to memory of 2988 1268 steamwebhelper.exe steamwebhelper.exe PID 1268 wrote to memory of 2988 1268 steamwebhelper.exe steamwebhelper.exe PID 1268 wrote to memory of 2988 1268 steamwebhelper.exe steamwebhelper.exe PID 1268 wrote to memory of 2988 1268 steamwebhelper.exe steamwebhelper.exe PID 1268 wrote to memory of 2988 1268 steamwebhelper.exe steamwebhelper.exe PID 1268 wrote to memory of 2988 1268 steamwebhelper.exe steamwebhelper.exe PID 1268 wrote to memory of 2988 1268 steamwebhelper.exe steamwebhelper.exe PID 1268 wrote to memory of 2988 1268 steamwebhelper.exe steamwebhelper.exe PID 1268 wrote to memory of 2988 1268 steamwebhelper.exe steamwebhelper.exe PID 1268 wrote to memory of 2988 1268 steamwebhelper.exe steamwebhelper.exe PID 1268 wrote to memory of 2988 1268 steamwebhelper.exe steamwebhelper.exe PID 1268 wrote to memory of 2988 1268 steamwebhelper.exe steamwebhelper.exe PID 1268 wrote to memory of 2988 1268 steamwebhelper.exe steamwebhelper.exe PID 1268 wrote to memory of 2988 1268 steamwebhelper.exe steamwebhelper.exe PID 1268 wrote to memory of 2988 1268 steamwebhelper.exe steamwebhelper.exe PID 1268 wrote to memory of 2988 1268 steamwebhelper.exe steamwebhelper.exe PID 1268 wrote to memory of 2988 1268 steamwebhelper.exe steamwebhelper.exe PID 1268 wrote to memory of 2988 1268 steamwebhelper.exe steamwebhelper.exe PID 1268 wrote to memory of 2988 1268 steamwebhelper.exe steamwebhelper.exe PID 1268 wrote to memory of 2988 1268 steamwebhelper.exe steamwebhelper.exe PID 1268 wrote to memory of 2988 1268 steamwebhelper.exe steamwebhelper.exe PID 1268 wrote to memory of 2988 1268 steamwebhelper.exe steamwebhelper.exe PID 1268 wrote to memory of 2988 1268 steamwebhelper.exe steamwebhelper.exe PID 1268 wrote to memory of 2988 1268 steamwebhelper.exe steamwebhelper.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RVN.exeC:\Users\Admin\AppData\Local\Temp\\RVN.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\RVN.exe > nul3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.14⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exeC:\Users\Admin\AppData\Local\Temp\HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exeC:\Users\Admin\AppData\Local\Temp\HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exeC:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe "-lang=en_US" "-cachedir=C:\Users\Admin\AppData\Local\Steam\htmlcache" "-steampid=1700" "-buildid=1716584667" "-steamid=0" "-logdir=C:\Users\Admin\AppData\Local\Temp\logs" "-uimode=7" "-startcount=0" "-userdatadir=C:\Users\Admin\AppData\Local\Steam\cefdata" "-steamuniverse=Public" "-realm=Global" "-clientui=C:\Users\Admin\AppData\Local\Temp\clientui" "-steampath=C:\Users\Admin\AppData\Local\Temp\HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe" "-launcher=0" --valve-enable-site-isolation --enable-smooth-scrolling --enable-direct-write --disablehighdpi "--force-device-scale-factor=1" "--device-scale-factor=1" "--log-file=C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --disable-quick-menu "--disable-features=SpareRendererForSitePerProcess,DcheckIsFatal"4⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exeC:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe --type=crashpad-handler /prefetch:7 --max-uploads=5 --max-db-size=20 --max-db-age=5 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\dumps "--metrics-dir=C:\Users\Admin\AppData\Local\CEF\User Data" --url=https://crash.steampowered.com/submit --annotation=platform=win64 --annotation=product=cefwebhelper --annotation=version=1716584667 --initial-client-data=0x228,0x22c,0x230,0x1fc,0x234,0x7fef64eee38,0x7fef64eee48,0x7fef64eee585⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe"C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --force-device-scale-factor=1 --disablehighdpi --buildid=1716584667 --steamid=0 --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --log-file="C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --mojo-platform-channel-handle=1092 --field-trial-handle=1184,i,246115724486181146,9531439815177079255,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:25⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe"C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --force-device-scale-factor=1 --disablehighdpi --buildid=1716584667 --steamid=0 --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --log-file="C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --mojo-platform-channel-handle=620 --field-trial-handle=1184,i,246115724486181146,9531439815177079255,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:25⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe"C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --force-device-scale-factor=1 --disablehighdpi --buildid=1716584667 --steamid=0 --log-file="C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --mojo-platform-channel-handle=1604 --field-trial-handle=1184,i,246115724486181146,9531439815177079255,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:85⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe"C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --force-device-scale-factor=1 --disablehighdpi --buildid=1716584667 --steamid=0 --log-file="C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --mojo-platform-channel-handle=1652 --field-trial-handle=1184,i,246115724486181146,9531439815177079255,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:85⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe"C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe" --type=renderer --user-agent-product="Valve Steam Client" --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --force-device-scale-factor=1 --disablehighdpi --buildid=1716584667 --steamid=0 --first-renderer-process --force-device-scale-factor=1 --log-file="C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2212 --field-trial-handle=1184,i,246115724486181146,9531439815177079255,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:15⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe"C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --force-device-scale-factor=1 --disablehighdpi --buildid=1716584667 --steamid=0 --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --log-file="C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --mojo-platform-channel-handle=1416 --field-trial-handle=1184,i,246115724486181146,9531439815177079255,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:25⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe"C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --force-device-scale-factor=1 --disablehighdpi --buildid=1716584667 --steamid=0 --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --log-file="C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --mojo-platform-channel-handle=2384 --field-trial-handle=1184,i,246115724486181146,9531439815177079255,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:25⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\bin\gldriverquery64.exe.\bin\gldriverquery64.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\bin\gldriverquery.exe.\bin\gldriverquery.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\bin\vulkandriverquery64.exe.\bin\vulkandriverquery64.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\bin\vulkandriverquery.exe.\bin\vulkandriverquery.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exeC:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe "-lang=en_US" "-cachedir=C:\Users\Admin\AppData\Local\Steam\htmlcache" "-steampid=1700" "-buildid=1716584667" "-steamid=0" "-logdir=C:\Users\Admin\AppData\Local\Temp\logs" "-uimode=7" "-startcount=1" "-userdatadir=C:\Users\Admin\AppData\Local\Steam\cefdata" "-steamuniverse=Public" "-realm=Global" "-clientui=C:\Users\Admin\AppData\Local\Temp\clientui" "-steampath=C:\Users\Admin\AppData\Local\Temp\HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exe" "-launcher=0" --valve-enable-site-isolation --enable-smooth-scrolling --enable-direct-write --disablehighdpi "--force-device-scale-factor=1" "--device-scale-factor=1" "--log-file=C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --disable-quick-menu "--disable-features=SpareRendererForSitePerProcess,DcheckIsFatal"4⤵
- Checks computer location settings
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exeC:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe --type=crashpad-handler /prefetch:7 --max-uploads=5 --max-db-size=20 --max-db-age=5 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\dumps "--metrics-dir=C:\Users\Admin\AppData\Local\CEF\User Data" --url=https://crash.steampowered.com/submit --annotation=platform=win64 --annotation=product=cefwebhelper --annotation=version=1716584667 --initial-client-data=0x228,0x22c,0x230,0x1fc,0x234,0x7fef63cee38,0x7fef63cee48,0x7fef63cee585⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe"C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --force-device-scale-factor=1 --disablehighdpi --buildid=1716584667 --steamid=0 --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --log-file="C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --mojo-platform-channel-handle=1132 --field-trial-handle=1184,i,6202109372204927800,12398157804542899977,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:25⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe"C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --force-device-scale-factor=1 --disablehighdpi --buildid=1716584667 --steamid=0 --log-file="C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --mojo-platform-channel-handle=1508 --field-trial-handle=1184,i,6202109372204927800,12398157804542899977,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:85⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe"C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --force-device-scale-factor=1 --disablehighdpi --buildid=1716584667 --steamid=0 --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --log-file="C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --mojo-platform-channel-handle=1464 --field-trial-handle=1184,i,6202109372204927800,12398157804542899977,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:25⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe"C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --force-device-scale-factor=1 --disablehighdpi --buildid=1716584667 --steamid=0 --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --log-file="C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --mojo-platform-channel-handle=1212 --field-trial-handle=1184,i,6202109372204927800,12398157804542899977,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:25⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe"C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --force-device-scale-factor=1 --disablehighdpi --buildid=1716584667 --steamid=0 --log-file="C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --mojo-platform-channel-handle=1836 --field-trial-handle=1184,i,6202109372204927800,12398157804542899977,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:85⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe"C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe" --type=renderer --user-agent-product="Valve Steam Client" --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --force-device-scale-factor=1 --disablehighdpi --buildid=1716584667 --steamid=0 --first-renderer-process --force-device-scale-factor=1 --log-file="C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2216 --field-trial-handle=1184,i,6202109372204927800,12398157804542899977,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:15⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1700 -s 24964⤵
- Program crash
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -auto1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
C:\Users\Admin\AppData\Local\Steam\htmlcache\CURRENT~RFf77819e.TMPFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Steam\htmlcache\DawnCache\data_2Filesize
8KB
MD50962291d6d367570bee5454721c17e11
SHA159d10a893ef321a706a9255176761366115bedcb
SHA256ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed
-
C:\Users\Admin\AppData\Local\Steam\htmlcache\DawnCache\data_3Filesize
8KB
MD541876349cb12d6db992f1309f22df3f0
SHA15cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e
-
C:\Users\Admin\AppData\Local\Steam\htmlcache\GPUCache\data_0Filesize
8KB
MD5cf89d16bb9107c631daabf0c0ee58efb
SHA13ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA5128cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0
-
C:\Users\Admin\AppData\Local\Steam\htmlcache\GPUCache\data_1Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
C:\Users\Admin\AppData\Local\Steam\htmlcache\Local Storage\leveldb\000002.dbtmpFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Steam\htmlcache\Session Storage\000004.dbtmpFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Steam\htmlcache\Session Storage\MANIFEST-000001Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
C:\Users\Admin\AppData\Local\Temp\CabB53C.tmpFilesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
C:\Users\Admin\AppData\Local\Temp\HD_X.datFilesize
1.1MB
MD52fb5e96a5debe6ede912aee81f069724
SHA1715c54f319ee8776df94bb83493c7a8a662433b7
SHA256df31961681b7f047f7d344214c752cd9119cefd06e357f3c66cce3c1aa6ff6ed
SHA512cb59580f9340a74a566ae8e8c394ed053925d46a2fd407edb6ea48fb62e7a80a9e17a939f7233123c9cba455984c45fd29e423b4ee515d7563572c2e9c3fddb4
-
C:\Users\Admin\AppData\Local\Temp\TarB7F2.tmpFilesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
C:\Users\Admin\AppData\Local\Temp\aom.dllFilesize
7.1MB
MD5d764264518e77cc546a5876c3bcebad4
SHA1ea17d45b396fa193a851bfd345e2b2c20ad60e12
SHA256e78492de0ab575add50b925bfd44216d224d09904a9b14c17087a92fdcbc15cd
SHA5127cf132ea5254a55c08186ffcf5e47360ef5ddd57d03d7051171f6753b22e3925304d183c2037bfd320ad56c08e079f9b2c4640db8cb3dbd38ff500c7a39e997f
-
C:\Users\Admin\AppData\Local\Temp\avif-16.dllFilesize
226KB
MD5a09c5fa842fa4456a0b53b46f1050225
SHA19e4677f19e77bf55e7d0e2e82d8c27f79dbbd78e
SHA2563d7ba6fedfdfd6e751693d718a21438304690b754d1c5d13c847a829b2423b8b
SHA51271c962da6ed6894209891513bf9f0132a5eab6c65a5d9ba334efcaf73463be5625665a060863a106d59fad1949f6191f641aa4c59ddb0e825701bef08ef9b5a5
-
C:\Users\Admin\AppData\Local\Temp\bin\audio.dllFilesize
175KB
MD5cbc43e3928d5fd556456f8f9ef285063
SHA133c043f63171ddbbe58a5031961cb5040d1a245b
SHA256ae99258ab7694026147b259367ef82d8ac2b118f87c02c7a41f81b82d1f7a9d7
SHA5120d13bebbd71e48a1dffa34ad68e2a76746b3d745529842aba594b5de4d1a621f8759a2968cd61d8dfe9780a9ff23e808b6c90d63957e6ac2f95bf1ae0bf4b3a6
-
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-console-l1-1-0.dllFilesize
23KB
MD59c2202f9ebd8d2e8c90c93d3b0f433e1
SHA13d20c8f8428df16372e7de91a6d4f94b80aefb4c
SHA256894842053591d4818bac9e1e476601cf39e4191b4bd0748ccb9f3c2711caa946
SHA512b274b3f3dafd290f72351b36b9937445e78b6a16eb6cfa9a0b6de3cf11d5d809cd5f4095c2c4a05c16bdd1fb1be0b883e4c387ae8f7693eab958a63ce408097e
-
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-console-l1-2-0.dllFilesize
23KB
MD50b2450ac7066b1aa6970cd4763bed6a8
SHA19cdc98d8a852c5e66c42e83edec21a1a2ab1d347
SHA2569e9ee99c5fbe9a2a784d324b4bff06842874dbc33320c1fb02f063060d2d5c7b
SHA512a1e0b0dee99c5d4ee03f15fa69436f41c965438b289eb244c8bbdec2de4b439e8ea60417ca6a37064b0aff023fbae5debb732e5e69027ca86623514520d6dffd
-
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-datetime-l1-1-0.dllFilesize
23KB
MD5880c1094ab4679600f77012712fcfdcc
SHA1d92636752ceed77e4eb37967306de746953e375a
SHA25665e57b5316eee1433c006adc6487c3ad3e17412b1a6d5a35ba518aaefd871bbf
SHA512de8a622fd97bcd0a429c7a0874fc6dbeacb966e406dc519448ddfb420f584686a7a5ef105b4ac45a3a8de3bf0b7ed5b79ed62a92ebfceea3bceccce7298af652
-
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-debug-l1-1-0.dllFilesize
23KB
MD5df9bc6c6936655ed05180de600916f3c
SHA1abfd6dc420368aaee7d3ce11cca36af3cb4446f6
SHA256b34fda7a50b20aaae509d0919ced53d718afb997a2bd9f3b97446c3cebf994d6
SHA512b6d935a6046a573df8c0a7bafd57c35f333f74fbe754e18de13cdf9a39fd9649449030539b208046651d648eca20e4b5d0e73a8a7d173d6ea37bbfc311b0d6df
-
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-errorhandling-l1-1-0.dllFilesize
23KB
MD5a78aabc0f9a9dc5b9923d2ff67d24f23
SHA13a0330b84c7ca674f0710c10eee1e5126d545429
SHA25639e98dd2cfd15b1687f3a8f8690a80026af0deaba5142c0fe503bbebca46d4c1
SHA5123efd9fd95ef6aa16172c3d89150d49611c21deaa13fd50c2114e76380de573255ec6bdcfe10665bbe15a17c1d05ba327ca7ea24949ad1a173b3db86bab24adcf
-
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-fibers-l1-1-0.dllFilesize
23KB
MD572dbf67f86c95cdef31eaaef5861a00f
SHA118134f00734a2255bdf9bbc777045ac2d4f2e2f3
SHA2565c74808c61ca8b6acb8f74813fb116341b18c27e4a654bbdd383b9fee3f33d36
SHA512e0bbcdfb658ffa70b047cfd84a0e8a5613530ed0a34cc9ac365f69e253894db4b6fd059ce02627c201c1e9efe0b98aaddb70a641ce297677d3f9162838fdd1f3
-
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-file-l1-1-0.dllFilesize
27KB
MD5ee9e1e1af17a74d23438fb63f6b66395
SHA111f60e073257560f5f3dc8943e854bf2eac36ed2
SHA2568587505e511503127abb7e5c614853b7848a489d96da0a95bc736dc6c3097a5e
SHA512aca34604580214291d1ea62765ecb280c6eafad7bf8967af8c268d2daff84f783dafec8ed334ac051ad61a14fc3128dc3f396116b9c6413a288fbe7bb099a202
-
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-file-l1-2-0.dllFilesize
23KB
MD5a5707e6342e22d92ef8df839783d1716
SHA1642c499b65382d883f6f9381fa204ba8d08f1f10
SHA256fbf7e43884a1fd8adf167a5cfa4319339e2dba84515ec4487e074decc9afb206
SHA51233a5255fe6b46d228cc131d27479d272342e88f12d884b841751167000e2c6a9c08a996526580a8466e957f4696d2400baf5d2cc2b3e5f8ea23ae3803d684285
-
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-file-l2-1-0.dllFilesize
23KB
MD5a2317c5ce4c82910c7f4e97d48af645a
SHA167f5034a905cd1ef0c2888fd2cc40c2024d0848c
SHA256363c1cc60b8cf09f026ffe4d6dabee37021f37d5719fa55ab807d56613e30b90
SHA51235be28f55fcde4ad140fa089ee86aaeff3e90f174737474dfd502925313225db393a3e27eda0b44d9bee831ead48a24e803c35884842cee2946d558650b6f8f5
-
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-handle-l1-1-0.dllFilesize
23KB
MD5ae7a8beeed5233404cd32b2befa02077
SHA134ea5e1d5ef85bb5af4ac7483b8bc46e9263764c
SHA2569e0fb5ca77dddd8716fa0c782a11d484756c471c91c35247a4e7e08f55e33b3a
SHA512a6895c62834bb95622f909be1d85fc9b1796ab108c25b4652ae96517c2eea3df9b7c3ce951ec1283d91e5574e20eb1d6756b45b6d63753d3966bda2d8bf585a4
-
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-heap-l1-1-0.dllFilesize
23KB
MD5f8716cb27d1ab19ee1a95aca508e1dc9
SHA1721f225d36302ba8542a0e223994f8339ffda596
SHA256d9f71e7f76a39ff8b9cef6f931439de3ae62251be62543d16719d78c02cbdc1e
SHA512dcb2b4ce63363cbc4a49d3b123eb4890634ea1ee25749ddd5cd3880123c3e53ca70c430eaaa9da15c23727cb5b4fde12b4388acd31b4c195377f6ed39dd3703d
-
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-interlocked-l1-1-0.dllFilesize
23KB
MD54263970ca16f36e941598ba308e537b2
SHA1fcd26814062ba652898931db3be5dff2968c12f1
SHA256555db885fe01dbf9078b46e2f2eca4de573d809f261fc38ff9338179de99d983
SHA512bea8a3cb7cbf36ac011c425202904f981c00c3479f1438bf8ed2430430f37d6b2e84e90857e49c166e81f72dda9e51b96bb78c40292f41c742d0af51069bde1b
-
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-libraryloader-l1-1-0.dllFilesize
23KB
MD5ccdc8fe8856484c4b9eb2a19270ca069
SHA1aff62d30be1dcf65a95dd7e5a9fb6d4a29fd95b2
SHA256c57320b896e75eafbc6c5edc7d5916ec895ac69fd24ad5e59bd3a8f4ca4e7fb6
SHA512a231a5b7af686cc6f8909193757f999fee0e67880b9f0f956d80e760c3990c70f5b5cdac2fcfbb5aebf8ad43b2d8fe85067e17be2458eaa36dbe594dfa980714
-
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-localization-l1-2-0.dllFilesize
23KB
MD5e6f7c30244cc74b2f9fbe25bc09f1e4a
SHA1579a395f38de163a6b1118504a3d398b4409119f
SHA25676fe06b6aee795bd72a52fac180a2e105f09745ebea017017e8025c5a0d3fcdb
SHA512621a85c7768b3666f4dfcb7d3e1ef6082b348ea60401f654bc2c9d660dfce78f74314e20df98c45644f6af5ca05e765a9fbdce1a7ca04ad3fa57dc67ca165fb0
-
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-memory-l1-1-0.dllFilesize
23KB
MD5dccc7f052614666443de0dd379f2461e
SHA11429be469a6fa1a0a67d28929fa63a807a289b12
SHA2569aff2ddfa566d25ff6a6930e58c6e041036c222aeafb809f623662897e52ce6e
SHA5125f1be2c1bdb42159a4c135dd7bc1376f28fe871ac2d11b2ee7733a50b1ad11fb2c1a195ef167be9a262bb24ce5c024eebbb2dd82e44955f6fe6ae623a7ae8784
-
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-namedpipe-l1-1-0.dllFilesize
23KB
MD5773b5cbf74b44f021305fc86accce0b8
SHA14e13357b171dad8fd8608f848402553604b6b82c
SHA25642d22a4c725b707f2ca406b453ea5028032f4b31e3b8d6e2c11b6a3b92ed973c
SHA512fe2379e5c7707aac8f5aab9febaf7baced61ed6b1e9c7e665fd0c6c46a5434437b9036df6a307a390400278ada7a7e1c6f4c005b3bd7ad2a6ec47e10dde1d7ed
-
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-processenvironment-l1-1-0.dllFilesize
23KB
MD5b2804dea14ec0a1a8bb2877794024ef6
SHA1f1f3affb9d90e26ee9b3076033a3360f7e83ad50
SHA2565412dd07064025ffcf8668da2aa2eaedb93d9f92a4d98e054994356414be5208
SHA512c1cf4ecf1e34026d2cf6db45e2b0379e6db7f8ee8fee36f65f8f42bea1e61f6bace7b3ef06f6b316c21ef8c9961c425b778716d64557f7b836c366453606940b
-
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-processthreads-l1-1-0.dllFilesize
23KB
MD57f5cecf3ee465e4668a9be0fa31674c5
SHA100d15773bf1c799195ad14f61531144c2cea5e6d
SHA256557f29501705c8207995764e1c860f25403b6a967e6c3cf1f1e12ff123b6f636
SHA5123bcaaf5cd51148e2db5256711c05aaba3650c49396f9b11c30112f805c8c0338bdcafcfe62203851a282920a49def88b6d96da604422465c3cdcd2be0c7e7fcf
-
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-processthreads-l1-1-1.dllFilesize
23KB
MD5ca1098bc9b13f7b5fc6ea115a36de9ba
SHA19083f54900f0a6e03ba28ede19fe9ce64b6409d4
SHA256ec580803a295c18ddf74878fe1637e679cd6267af6d7c3e9d639f433b685813c
SHA512ce8202578091ff5dd1d4a961bfa4327b33ec422a9fb2d52b8fbab41a663311022e3d1122e6ccdebe613a4339a7221a5841e801d2ad33a424c9153f4b05cceb37
-
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-profile-l1-1-0.dllFilesize
23KB
MD5756153668502de1c25c4123733aad401
SHA1760238dd09d4579003418e9b9cbc778c122e6aa5
SHA256e203f4918e3d8c88efe4dd83985a3eeb71d94116eaf9e90cb7d62973c5ccf0b6
SHA5126839e10fc83bf9d6f1380df221ca1b40d59da745d7c82a4140ecb468debc5f339fbbc510781850ac70696f74e4092c72bf897e9c66f3a7914d4d089aa9531cc7
-
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-rtlsupport-l1-1-0.dllFilesize
23KB
MD5578a8869c793d427297d8b27cd6f5bc8
SHA17caef315139997a18aa9426e04af6da0fc1c42ad
SHA256857e523e3d6c0c96d90d9e5b491ce0bb3f514ece422999c2165eec1057fc01b2
SHA5120494d66b449a05c9de384e3211288f0bc1223483ccd33ac06d1ba30c68d6acd4a37c563e179fd9990c09c7dd37f94a842042d4ced93e1976ba5098c8d0d0f852
-
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-string-l1-1-0.dllFilesize
23KB
MD5a37150945dd638258cadbf19c9721168
SHA1dbea87d699699ec9cafb88e631cd4db9541d68d5
SHA256f8eb2fdca2481c2961e90a54620f2189dc7d094cf287536993daf5ce522d274f
SHA512514d09ac3852f6fa86e79841fd2922819b596804ac166e62578bb4ea38948879b8e8ede6c6fcd368fc29727d0e2def1cdd8f02832d3f8572a98da2739cead01b
-
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-synch-l1-1-0.dllFilesize
23KB
MD5474af6d8555d94f7f7b98ab3c8035ae2
SHA13fb45930406dc1f134f336ba57002e991bd8cf2e
SHA2564d30ff9cf68c9f5dd59f86a2498919bac51cae63382cfba1b4f6cafb67e31948
SHA512711bdb12802e32a2311fd12022e03745ee1dc0f102c1e19c26fb7181901f350244e3f0978ae87c100aee124d2aa9261faa6a9ea249df76f791deb35919ccfb7a
-
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-synch-l1-2-0.dllFilesize
23KB
MD5346e63df6c712107c1a43ada1209a690
SHA1e0ef35ca47c1c3875f6edf22c28aabfafad9b4c7
SHA2563be68ac33afd101f25b8e214b363b31b3e8a09f4441140fcc1bd5307d6c6c44f
SHA512a188642478b4d56d7ad632ac82032951f668b12b1721b783a4f8d059bb379edc0346208e6f6b957cf9455798ede6a8a441d9a13beab21e1e166e37783495c780
-
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-sysinfo-l1-1-0.dllFilesize
23KB
MD5859d9676ce764f148803141f8b2614f6
SHA1c42507a528b7e492d6ef0c99d3946cdc3250b4c9
SHA256ea01b104994a3c9132d7d58a7f76ced515cc62d24c762a5da3b8039ca2ee60a7
SHA5121bb5dcead486dba48b337ba2a7590b7ac5e90f85d7f623479c4406b16c0d5ca0fc492713c3c0a31ce0d64053246ee50a6c33ee58f0a3793f101f1af14cbb9f76
-
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-timezone-l1-1-0.dllFilesize
23KB
MD5e1e74e6e90876973063b5c84fdb71294
SHA10ebdd9d54d9d6b1b3475b466dfec6f2a121d3a87
SHA256232fed0561c071fed572b954bb7f0702c74543e6473cb021098a70349e3a93e8
SHA512d998cddad2f9620803e62e408a77992980b7369b3a0a49f3cb0f9c22c0c4106b71f4ce9e0011c1b7a0541d508e20650d76fc097e9e0633c84f45089b2280dec3
-
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-util-l1-1-0.dllFilesize
23KB
MD58b958395de9f6614433ea1917ee8f265
SHA124d7fa69d09cf19bde347d8411d990759afdd0c8
SHA2569cb43b9145a69ace87b677d4021c8459891cb0446a2259b793de29335530ccfa
SHA5122a12e9a8100f0a39622a503d6124e5c1d5a509adb98fb44769c68c366f9a0e24f368e83be6d83a0424b0b15929c8880b5313bcf6484ee920f536b13aa6643644
-
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-crt-conio-l1-1-0.dllFilesize
23KB
MD58c4a62cafbdb87c2498e11c509300873
SHA181b9180ad1194634e12a4f2fe4a52aab6f763b96
SHA2561d19dc9d51fd5239b0123526de6ccf9407d1c5b76a382e7c5c451706142d9e05
SHA512440c9dbeae6044d5ed3fae1a7c87378e2156942e0fe3c7ae29edceb622d11cf7effd209ae0d0737238e251a68aec89a04f2072ca5170492e735e367f4f5c7fc3
-
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-crt-convert-l1-1-0.dllFilesize
27KB
MD5f10c7d6a424f7c8f175b719b734c7bfb
SHA100d62a610931451e240ccffa679e30146840db52
SHA25652b3c25fd17654c2ef8d51a5361e2257e72d84e495327f4f47e980fe97a12ac8
SHA5128d0ea30740ed956c5351a5e0d55d55e6343d13caa88b9ecc181ccec3dbc8c09f2fe4db0e7cf588843ae73393f7fc8cfd62e4113bcf3be6896d9e775fea7d4d0d
-
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-crt-environment-l1-1-0.dllFilesize
23KB
MD5376af3c88806fc781657dd44790fe917
SHA13b39874c4e4db575d38d01be4c4f4c673264e156
SHA2561048b06d6ee6a882b23c2f8e995bfd37bb987d5297df9a7752176ea45be25791
SHA5127316b597a13511f1e5bed6e5a3cf421bc3d8efdd6785597dc6908de658a6b20a658d09af95d5a4dce7941ab35da0b39f92d0a8f6a3398c37a2b225756c68ef4e
-
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-crt-filesystem-l1-1-0.dllFilesize
23KB
MD5c0123097636db5655b905f6c8b4dd3a5
SHA1dc67706f924b97bcdd141545d37a176ce40fec6a
SHA256aaa98f62bf9b59f767526a5746d835cac3a1fa24059d4d25229a51b84d90521b
SHA51243b19efb10e69b79a47ac42589cfe112a4cb42ceb087be27ab535d065243e6ca60baba36cead040aeeaefbae545d412d2b039dcc90f3c1da0d28b528da913140
-
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-crt-heap-l1-1-0.dllFilesize
23KB
MD5343858f28c824a864cf53bc434e045f6
SHA1c74bd7f49746ef17c9931f8020228396e35d613d
SHA256e306ad69288a5fc020638bf7218fe5bd343365ab9d1465934e9b1f208f50f3e1
SHA512325c359ed1caa28dfc64f0dce10923c4aa3490c0ea9a03ab5488bf4f2f8d6e5a6914d5734a5b7723bebe252dc5370d38a205ff40d9f65af356621d82094b08ef
-
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-crt-locale-l1-1-0.dllFilesize
23KB
MD54ca2317d970fab725959390d9b4c5b48
SHA1663a61913997d19fbae639298a360f4c83564896
SHA2561df30836ea0826d02ac46ecb783257f774ee6bbc073ab1de62fc09a9fdac2eba
SHA512268dcc422e562f97c1cab81cc7d3a4b9c3e9e44c4679666edeec775ae049511d092fe4c99ff22e1afbc8ad065ead0d6b0fb2484dcb764cae8a3d2181f165c138
-
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-crt-math-l1-1-0.dllFilesize
31KB
MD5c13c4c30c16b3c340f2ab002bcfcecea
SHA1b27a05c304d98e9eab92eedff6c60d16dfb3eb5c
SHA25694bd40ccc96f0550d021ebc53b48b844bba0298f2e57c83d07c4f508034ae8dc
SHA512e86431c1ff89dbc974c3dee8c05aba097669020b6900e06aec54054cb7fa3facd5bb96cb404a218b2562865d24a0bb1f65f098fd079e896ae610b2e2c27770c5
-
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-crt-multibyte-l1-1-0.dllFilesize
31KB
MD5374d312dd46238422ee1202c8dc1b3da
SHA1b93b79504035fae2d776744ab99402a7fa846e7e
SHA256087d9859304fc2c7c55e3adbe0add2ed3ee438868ba240e45797adeadd7e5762
SHA512f803683cb92adc72770ef1b86399d48546f1687ff329e6fe8846f3b4bc1b5b0477c84b657adbdd023de5d62ead8d98e651f2631e9ee68df1196d707f0e160aaf
-
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-crt-private-l1-1-0.dllFilesize
75KB
MD56723c4a5323fd1ca2230fe0c4a30bf0e
SHA136701fdf6814debd0cbfd75ef8a1b1abab610dba
SHA256e0206cfcd213a0eeff4d5c95127cfb303f15f90a9a6c6ab604e2afdeb421b54b
SHA512a54e2da6973228b54cdd6ee51b3e541f5e232cc502f4c0889045eb5afbfd81c4b8997fddbfdc66d376f3e0bf989e65001796fe474b20bbde96f78e3ec89cb3fc
-
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-crt-process-l1-1-0.dllFilesize
23KB
MD5550bbfada29a9637c3e30c04f85fc4ac
SHA1f5da825a66bd168a1f306350e3437f78be190985
SHA2562f77ab480cb71f6116cc27253d2fe95f0bc029c91ef2a8ea14b429e50e41efb8
SHA512a33576a08cd4f24083807b30625f16898c939bc8bcdb94b1742a1fbefab5b1124a5d7b14fcfbbf5689f754dfb03203cc03c0a038fcf920af7999dac85272dfd7
-
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-crt-runtime-l1-1-0.dllFilesize
27KB
MD542e63c1ba3f2c79b8cc193a24a9611c2
SHA17dd2bfaa737f04fad938f8696abd586327f3b4f2
SHA2560e5827d2ccacfb6893183f2a315e8845db46d5a0f40cd1c317147308b19a112b
SHA51220dfde8241545c839b01eb297c6a80156fa827b21fff01e18c71e531ec8f0905ecd214f169db44cfbd84f38b0f48e3e165d0423d807af488597ba0b9520129ce
-
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-crt-stdio-l1-1-0.dllFilesize
27KB
MD597425d9aea0d462042d570587c7e5e51
SHA19c013c5c810cb631692ef184098af9ccbe172f78
SHA256cafe25bba3daa3ecc1984151e2174abca2f669c23d79a166f82e7d3489eeaf3b
SHA512adea9b32168544918c1b188f4186618f2dd09da8e1ac2b15b9e801241b8bc8f0414d6572ecaf6a4c5026ba142e789744eca04468cd333261251ec8680801f231
-
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-crt-string-l1-1-0.dllFilesize
27KB
MD5e5623db2a54b98d1c69644777eb9cdba
SHA17ee9ff896277291cce9953ea6ef58def4fa3e3d0
SHA2566054ce87cdc6f2edc1240f75c50db5ef02a8372453debbb1f07dd538af1ac638
SHA512e0d5c51a4d6d225c0158b7fcb2e1ac026b23cf76b42683006c8368482056a9e05141d78e38d378111ac56e92f5610105d5e69a3876f74ea69a9a3cf1e451fea4
-
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-crt-time-l1-1-0.dllFilesize
23KB
MD5ea1711980e463c54a29da0bbf999db55
SHA1034d567fd6ca548c9c9e254fda01a1e559ef0077
SHA2563a0e9029ca829380cabbc4a448e47657a01ba668bc7d2da7dc490f0571147b94
SHA512d766ce1318bafc8866d6a58b14fc6f444ebf1d84f5aebdee77dbb576947c63decbb96f8fc53c279caa2e06264d76e47c167f941da2dcc6ba950318ea67aa52c2
-
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-crt-utility-l1-1-0.dllFilesize
23KB
MD54548eac2865691d00f8bbc5c79b880b6
SHA12ac1c450daffbb22e62ff60a06409d98c6cf23c8
SHA256453694608971d4291f52c0d6070698f7d29472a9416b52117e32640a083f683b
SHA512ee99ee11b7f315f0b21fb27fa93d2aa32ff710862e3a31865f283f4ef521f2504f2c4b23b6b88c615056aef2fc9812aad6787695adc05840561191ec927a29ce
-
C:\Users\Admin\AppData\Local\Temp\crashhandler.dllFilesize
361KB
MD59667216fc56106299cfe0474afdeaf39
SHA138b0768abfcd617bd8db59431a9525d789c84f83
SHA256b056457b66dea391772a655ba03871180160314df68768f43b21c3cedf9d19ed
SHA512a3c02500299e433ada5de7cc12bb05ee6b947ce363d355bb074a5525c68ccf0ccf46b5732262bb56e88f4dc2a0e32d4d577858c48a742a63745be8c3f018bba1
-
C:\Users\Admin\AppData\Local\Temp\logs\bootstrap_log.txtFilesize
16KB
MD51e43660c044fde808e01631b30cb7849
SHA1ab1d440ee2831059d65afd70bddd4e42e0d1812f
SHA2565ecd467c9726fb131e78fd090a1ff8c78363a623e30cbb7bd75f9f2446d81c3b
SHA51256f95c42d76e8c4ba08477a786516f148cdc96d387c4de66f80ce2af87b3522eea7ac73ac04e6322938fec6b4cdf8c540e8b3c155ad5a62385143faef9b275ef
-
C:\Users\Admin\AppData\Local\Temp\package\steam_client_metrics.binFilesize
3KB
MD5865b0d09e12ccc72c06440d5aa8b2f6c
SHA1ba7bf6caea467e99f5690d9b9ad97dfedfba97d8
SHA2566ace889f5d60f104ef46ca01a2e0fa56f41311bd62fdf2a43ce68fdaff3b0671
SHA512ea937159c938697b5d38c19f6ca50eda9a2029a064e8fd38f5c98c0e222f3c20c55d740f7fd99d1809db00742790b369dd190b808d73e7ade755ff96414e5f2a
-
C:\Users\Admin\AppData\Local\Temp\package\steam_client_win32.installedFilesize
472KB
MD547b4cda4eca080f606db46825e5874c2
SHA1c16b5f6787380414c952847ef2ba6f0ad5107daf
SHA256bf32c6b394b380065e438d7b8dd2f3677596f60918d021792fb4594656f3a0c9
SHA5127e1f01d24847abc3b9666fc3dd780a70eeb7992745bfb081362478df51b70ca964ce431958b9d15c7eb97de87630e09dd7f1dc374dfce45c0e02fb856adfc56b
-
C:\Users\Admin\AppData\Local\Temp\package\steam_client_win32.manifestFilesize
9KB
MD593e69eae544858aa33c9c1f6d48c4a8b
SHA1f8b18435ceaad470bd809f02ac2934a5926e6adf
SHA2567c569ccef088133b444f049ae07a8b9e6bdb78ef1b00ccfc6eacbf7b23619b3c
SHA512cc4256ea641a41c31bce7ff19d4a5dc50a3a123cd039dba85b70549dcfdd9798024a258dab1be734165a89fcd24792d623f064ed4a639567f68b57b864d2be8b
-
C:\Users\Admin\AppData\Local\Temp\package\tmp\graphics\[email protected]_Filesize
15KB
MD5577b7286c7b05cecde9bea0a0d39740e
SHA1144d97afe83738177a2dbe43994f14ec11e44b53
SHA256983aa3928f15f5154266be7063a75e1fce87238bbe81a910219dea01d5376824
SHA5128cd55264a6e973bb6683c6f376672b74a263b48b087240df8296735fd7ae6274ee688fdb16d7febad14288a866ea47e78b114c357a9b03471b1e72df053ebcb0
-
C:\Users\Admin\AppData\Local\Temp\package\tmp\graphics\icon_button_news_mousedown.tga_Filesize
20KB
MD500bf35778a90f9dfa68ce0d1a032d9b5
SHA1de6a3d102de9a186e1585be14b49390dcb9605d6
SHA256cab3a68b64d8bf22c44080f12d7eab5b281102a8761f804224074ab1f6130fe2
SHA512342c9732ef4185dee691c9c8657a56f577f9c90fc43a4330bdc173536750cee1c40af4adac4f47ac5aca6b80ab347ebe2d31d38ea540245b38ab72ee8718a041
-
C:\Users\Admin\AppData\Local\Temp\package\tmp\resource\filter_clean_bulgarian.txt.gz_Filesize
23B
MD5836dd6b25a8902af48cd52738b675e4b
SHA1449347c06a872bedf311046bca8d316bfba3830b
SHA2566feb83ca306745d634903cf09274b7baf0ac38e43c6b3fab1a608be344c3ef64
SHA5126ab1e4a7fa9da6d33cee104344ba2ccb3e85cd2d013ba3e4c6790fd7fd482c85f5f76e9ae38c5190cdbbe246a48dae775501f7414bec4f6682a05685994e6b80
-
C:\Users\Admin\AppData\Local\Temp\public\steambootstrapper_english.txtFilesize
4KB
MD5da6cd2483ad8a21e8356e63d036df55b
SHA10e808a400facec559e6fbab960a7bdfaab4c6b04
SHA256ebececd3f691ac20e5b73e5c81861a01531203df3cf2baa9e1b6d004733a42a6
SHA51206145861eb4803c9813a88cd715769a4baa0bab0e87b28f59aa242d4369817789f4c85114e8d0ceb502e080ec3ec03400385924ec7537e7b04f724ba7f17b925
-
\Users\Admin\AppData\Local\Temp\HD_2024-05-29_e9d2095fecf3cbe693cdf24316f02c2e_icedid_magniber_qakbot.exeFilesize
4.2MB
MD50f433ee9a006400416679cf6e5a510c5
SHA1558403043f0288aba3d9a43e9dfa7e109bc0b31a
SHA25688eb0e145502e84cfb242b4733eeecbda53f78e33fe748f3c0e1fb14edbd7cd4
SHA51282048118e7b816ffe9dd0ce114b0fda049345e9d27ab64b1c7a2efb4edb2d08775379ad6678c5a6a77fbfa91d8969e8642460f62b5cded32a704ab238a010ba3
-
\Users\Admin\AppData\Local\Temp\RVN.exeFilesize
377KB
MD580ade1893dec9cab7f2e63538a464fcc
SHA1c06614da33a65eddb506db00a124a3fc3f5be02e
SHA25657a920389c044e3f5cf93dabff67070b4511e79779b6f874e08f92d8b0d7afbd
SHA512fffd4f3fccb5301b3c7a5b3bd92747f31549fbd9d0803fe5d502d1bb0ef979140988718c2ee1406ed3e755790d275185e120a56cbcb5ed2eadf62b5cdbfc4cc4
-
memory/1700-13096-0x00000000709D0000-0x0000000071CE0000-memory.dmpFilesize
19.1MB
-
memory/1700-12857-0x00000000709D0000-0x0000000071CE0000-memory.dmpFilesize
19.1MB
-
memory/1736-8-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/1736-12-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/1736-7-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/1736-5-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/2480-24-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/2480-18-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/2712-32-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/2712-34-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/2712-38-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/2712-72-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/2988-12512-0x0000000000060000-0x0000000000061000-memory.dmpFilesize
4KB