Analysis
-
max time kernel
101s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
03-06-2024 10:25
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe
Resource
win7-20240221-en
General
-
Target
2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe
-
Size
4.6MB
-
MD5
06bb37eb2744eb9f23cb1a25b82c5845
-
SHA1
fa416078604d02d9e222200c50f9261b833891f0
-
SHA256
4ed1bd9470e986123ecadb2e316fd2201f008dc9735fa12b1c1dd5dcb89a6dbd
-
SHA512
70838c38fd682874f16839115ea9f45f0a6baa6cf431aa591e481c648026ffa8669c2ced9e2110441722e34390963b1f53519275a20c788cc5459f4427d082e1
-
SSDEEP
98304:rDokH1WPirCB6Ijt91p2GWNzSC34g2FiiIVD527BWG:3tHSi6XGNNiE/VVQBWG
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
steamwebhelper.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\International\Geo\Nation steamwebhelper.exe Key value queried \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\International\Geo\Nation steamwebhelper.exe Key value queried \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\International\Geo\Nation steamwebhelper.exe Key value queried \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\International\Geo\Nation steamwebhelper.exe -
Executes dropped EXE 64 IoCs
Processes:
alg.exeaspnet_state.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeehRecvr.exeehsched.exeelevation_service.exeIEEtwCollector.exeGROOVE.EXEmaintenanceservice.exemsdtc.exemsiexec.exeOSE.EXEOSPPSVC.EXEperfhost.exelocator.exesnmptrap.exevds.exevssvc.exewbengine.exeWmiApSrv.exewmpnetwk.exeSearchIndexer.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exedllhost.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exegldriverquery64.exegldriverquery.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exevulkandriverquery64.exevulkandriverquery.exesteamwebhelper.exepid process 480 2540 alg.exe 2424 aspnet_state.exe 2404 mscorsvw.exe 2804 mscorsvw.exe 292 mscorsvw.exe 2000 mscorsvw.exe 2140 ehRecvr.exe 1500 ehsched.exe 2260 elevation_service.exe 1328 IEEtwCollector.exe 1124 GROOVE.EXE 1240 maintenanceservice.exe 1012 msdtc.exe 2776 msiexec.exe 2192 OSE.EXE 2544 OSPPSVC.EXE 2892 perfhost.exe 2136 locator.exe 1756 snmptrap.exe 2828 vds.exe 2316 vssvc.exe 592 wbengine.exe 848 WmiApSrv.exe 1596 wmpnetwk.exe 2632 SearchIndexer.exe 1448 mscorsvw.exe 2936 mscorsvw.exe 1304 mscorsvw.exe 2460 mscorsvw.exe 2388 mscorsvw.exe 1644 mscorsvw.exe 768 mscorsvw.exe 2432 mscorsvw.exe 2956 mscorsvw.exe 1164 mscorsvw.exe 2388 mscorsvw.exe 1240 mscorsvw.exe 1148 mscorsvw.exe 2416 mscorsvw.exe 1224 mscorsvw.exe 1532 mscorsvw.exe 2044 mscorsvw.exe 1572 mscorsvw.exe 884 mscorsvw.exe 2936 mscorsvw.exe 2672 mscorsvw.exe 2636 mscorsvw.exe 1320 mscorsvw.exe 780 mscorsvw.exe 2196 mscorsvw.exe 2492 dllhost.exe 2404 steamwebhelper.exe 1680 steamwebhelper.exe 2712 steamwebhelper.exe 1456 gldriverquery64.exe 108 gldriverquery.exe 2160 steamwebhelper.exe 2116 steamwebhelper.exe 3092 steamwebhelper.exe 3300 steamwebhelper.exe 3448 vulkandriverquery64.exe 3696 vulkandriverquery.exe 3816 steamwebhelper.exe -
Loads dropped DLL 64 IoCs
Processes:
msiexec.exe2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exepid process 480 480 480 480 480 480 480 2776 msiexec.exe 480 480 480 480 480 772 2940 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 480 2940 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 2940 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 2940 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 2940 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 2940 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 2940 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 2940 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 2940 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 2940 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 2940 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 2940 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 2940 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 2940 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 2940 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 2940 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 2404 steamwebhelper.exe 2404 steamwebhelper.exe 2404 steamwebhelper.exe 2404 steamwebhelper.exe 2404 steamwebhelper.exe 1680 steamwebhelper.exe 1680 steamwebhelper.exe 1680 steamwebhelper.exe 2940 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 2940 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 2404 steamwebhelper.exe 2712 steamwebhelper.exe 2712 steamwebhelper.exe 2712 steamwebhelper.exe 2712 steamwebhelper.exe 2712 steamwebhelper.exe 2712 steamwebhelper.exe 2940 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 2940 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 2940 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 2404 steamwebhelper.exe 2160 steamwebhelper.exe 2160 steamwebhelper.exe 2160 steamwebhelper.exe 2160 steamwebhelper.exe 2160 steamwebhelper.exe 2160 steamwebhelper.exe 2404 steamwebhelper.exe 2404 steamwebhelper.exe 2116 steamwebhelper.exe 3092 steamwebhelper.exe 2116 steamwebhelper.exe 3092 steamwebhelper.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 21 IoCs
Processes:
2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exealg.exeGROOVE.EXESearchProtocolHost.exemsdtc.exedescription ioc process File opened for modification C:\Windows\system32\vssvc.exe 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\f54eb5f578a61a12.bin alg.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat GROOVE.EXE File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat SearchProtocolHost.exe File opened for modification C:\Windows\system32\IEEtwCollector.exe 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe File opened for modification C:\Windows\system32\locator.exe 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe File opened for modification C:\Windows\System32\alg.exe 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\System32\vds.exe 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe File opened for modification C:\Windows\system32\IEEtwCollector.exe alg.exe -
Drops file in Program Files directory 64 IoCs
Processes:
2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exealg.exedescription ioc process File opened for modification C:\Program Files\7-Zip\7z.exe 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe File opened for modification C:\Program Files\Java\jre7\bin\ktab.exe 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe File opened for modification C:\Program Files\Java\jre7\bin\java.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\klist.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE alg.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{1FD4E3A4-6FE0-492C-90E9-7EE360CDB9FF}\chrome_installer.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe File opened for modification C:\Program Files\Java\jre7\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\policytool.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe alg.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe alg.exe -
Drops file in Windows directory 34 IoCs
Processes:
mscorsvw.exealg.exe2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exemsdtc.exemscorsvw.exemscorsvw.exedllhost.exemscorsvw.exedescription ioc process File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe alg.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat mscorsvw.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat mscorsvw.exe File opened for modification C:\Windows\ehome\ehRecvr.exe alg.exe File opened for modification C:\Windows\ehome\ehsched.exe 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe alg.exe File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat mscorsvw.exe File created C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{A0EC6BFE-71F5-447A-A38F-F3622EE830BA}.crmlog dllhost.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log mscorsvw.exe File opened for modification C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{A0EC6BFE-71F5-447A-A38F-F3622EE830BA}.crmlog dllhost.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe File opened for modification C:\Windows\ehome\ehRecvr.exe 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe File opened for modification C:\Windows\ehome\ehsched.exe alg.exe -
Checks processor information in registry 2 TTPs 7 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
steamwebhelper.exe2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 steamwebhelper.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz steamwebhelper.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
wmpnetwk.exeSearchProtocolHost.exeehRec.exeSearchFilterHost.exeSearchIndexer.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer wmpnetwk.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\ShapeCollector.exe,-298 = "Personalize Handwriting Recognition" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10058 = "Purble Place" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10302 = "Compete with - and against - online opponents at the classic trick-taking, partnership card game of Spades. Score the most points to win." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10082 = "Games Explorer" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\windows journal\journal.exe,-62005 = "Tablet PC" SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\MostRecentApplication SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@searchfolder.dll,-32822 = "Everywhere" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\System\wab32res.dll,-4602 = "Contact file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\migwiz\wet.dll,-590 = "Transfers files and settings from one computer to another" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\System32\syncCenter.dll,-3001 = "Sync files between your computer and network folders" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\AuthFWGP.dll,-20 = "Windows Firewall with Advanced Security" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10309 = "Solitaire is the classic, single-player card game. The aim is to collect all the cards in runs of alternating red and black suit colors, from ace through king." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10307 = "Purble Place is an educational and entertaining game that comprises three distinct games that help teach colors, shapes and pattern recognition." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10054 = "Chess Titans" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\sdcpl.dll,-100 = "Backup and restore your files and system. Monitor latest backup status and configuration." SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software wmpnetwk.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\xpsrchvw.exe,-106 = "XPS Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\OobeFldr.dll,-33057 = "Learn about Windows features and start using them." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\SoundRecorder.exe,-32790 = "Record sound and save it on your computer." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10056 = "Hearts" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\ehome\ehres.dll,-116 = "Opens your home entertainment option for digital and on-demand media, including TV, movies, music and pictures." SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\Speech\SpeechUX\sapi.cpl,-5555 = "Windows Speech Recognition" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\rstrui.exe,-102 = "Restore system to a chosen restore point." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\System32\SnippingTool.exe,-15052 = "Capture a portion of your screen so you can save, annotate, or share the image." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\mblctr.exe,-1008 = "Windows Mobility Center" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\odbcint.dll,-1310 = "Data Sources (ODBC)" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{45670FA8-ED97-4F44-BC93-305082590BFB} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003085ca5ca0b5da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000010f3045ca0b5da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\migwiz\wet.dll,-591 = "Windows Easy Transfer Reports" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10304 = "Move all the cards to the home cells using the free cells as placeholders. Stack the cards by suit and rank from lowest (ace) to highest (king)." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10303 = "Enjoy the classic strategy game of Chess. Play against the computer, or compete against a friend. The winner is the first to capture the opponent’s king." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\miguiresource.dll,-101 = "Event Viewer" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10305 = "Hearts is a trick-based card game in which the goal is to get rid of cards while avoiding points. The player with the lowest number of points wins." SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\iscsicpl.dll,-5001 = "iSCSI Initiator" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\ehome\ehdrop.dll,-152 = "Microsoft Recorded TV Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64" ehRec.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-116 = "Kalimba" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\recdisc.exe,-2001 = "Creates a disc you can use to access system recovery options." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\unregmp2.exe,-4 = "Windows Media Player" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\msconfig.exe,-1601 = "Perform advanced troubleshooting and system configuration" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10209 = "More Games from Microsoft" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%ProgramFiles%\DVD Maker\DVDMaker.exe,-63385 = "Burn pictures and video to DVD." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\sud.dll,-10 = "Choose which programs you want Windows to use for activities like web browsing, editing photos, sending e-mail, and playing music." SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200017 = "GobiernoUSA.gov" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%systemroot%\system32\windowspowershell\v1.0\powershell.exe",-111 = "Performs object-based (command-line) functions" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-107 = "Lighthouse" SearchProtocolHost.exe -
Processes:
2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
ehRec.exe2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exepid process 1416 ehRec.exe 2340 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 2340 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 2340 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 2340 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 2340 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 2340 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 2340 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 2340 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 2340 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 2340 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 2340 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 2340 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 2340 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 2340 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 2340 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 2340 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 2340 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 2340 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 2340 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 2340 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 2340 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 2340 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 2340 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 2340 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 2340 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 2940 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 2940 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 2940 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 2940 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 2940 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 2940 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 2940 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 2940 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 2940 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 2940 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 2940 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 2940 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 2940 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 2940 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 2940 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 2940 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 2940 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 2940 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 2940 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 2940 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 2940 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 2940 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 2940 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 2940 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 2940 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 2940 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 2940 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 2940 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 2940 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 2940 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 2940 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 2940 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 2940 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 2940 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 2940 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 2940 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 2940 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 2940 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exepid process 2940 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exemscorsvw.exemscorsvw.exeEhTray.exeehRec.exemsiexec.exevssvc.exewbengine.exewmpnetwk.exeSearchIndexer.exealg.exesteamwebhelper.exesteamwebhelper.exedescription pid process Token: SeTakeOwnershipPrivilege 2340 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe Token: SeShutdownPrivilege 292 mscorsvw.exe Token: SeShutdownPrivilege 2000 mscorsvw.exe Token: 33 2012 EhTray.exe Token: SeIncBasePriorityPrivilege 2012 EhTray.exe Token: SeDebugPrivilege 1416 ehRec.exe Token: SeRestorePrivilege 2776 msiexec.exe Token: SeTakeOwnershipPrivilege 2776 msiexec.exe Token: SeSecurityPrivilege 2776 msiexec.exe Token: 33 2012 EhTray.exe Token: SeIncBasePriorityPrivilege 2012 EhTray.exe Token: SeBackupPrivilege 2316 vssvc.exe Token: SeRestorePrivilege 2316 vssvc.exe Token: SeAuditPrivilege 2316 vssvc.exe Token: SeBackupPrivilege 592 wbengine.exe Token: SeRestorePrivilege 592 wbengine.exe Token: SeSecurityPrivilege 592 wbengine.exe Token: SeShutdownPrivilege 292 mscorsvw.exe Token: SeShutdownPrivilege 2000 mscorsvw.exe Token: 33 1596 wmpnetwk.exe Token: SeIncBasePriorityPrivilege 1596 wmpnetwk.exe Token: SeManageVolumePrivilege 2632 SearchIndexer.exe Token: 33 2632 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 2632 SearchIndexer.exe Token: SeShutdownPrivilege 2000 mscorsvw.exe Token: SeShutdownPrivilege 2000 mscorsvw.exe Token: SeShutdownPrivilege 292 mscorsvw.exe Token: SeShutdownPrivilege 292 mscorsvw.exe Token: SeShutdownPrivilege 2000 mscorsvw.exe Token: SeDebugPrivilege 2340 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe Token: SeDebugPrivilege 2340 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe Token: SeDebugPrivilege 2340 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe Token: SeDebugPrivilege 2340 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe Token: SeDebugPrivilege 2340 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe Token: SeShutdownPrivilege 292 mscorsvw.exe Token: SeDebugPrivilege 2540 alg.exe Token: SeShutdownPrivilege 2404 steamwebhelper.exe Token: SeShutdownPrivilege 2404 steamwebhelper.exe Token: SeShutdownPrivilege 2000 mscorsvw.exe Token: SeShutdownPrivilege 2404 steamwebhelper.exe Token: SeShutdownPrivilege 2404 steamwebhelper.exe Token: SeShutdownPrivilege 292 mscorsvw.exe Token: SeShutdownPrivilege 3392 steamwebhelper.exe Token: SeShutdownPrivilege 3392 steamwebhelper.exe Token: SeShutdownPrivilege 3392 steamwebhelper.exe Token: SeShutdownPrivilege 3392 steamwebhelper.exe Token: SeShutdownPrivilege 3392 steamwebhelper.exe Token: SeShutdownPrivilege 3392 steamwebhelper.exe Token: SeShutdownPrivilege 3392 steamwebhelper.exe Token: SeShutdownPrivilege 3392 steamwebhelper.exe Token: SeShutdownPrivilege 3392 steamwebhelper.exe Token: SeShutdownPrivilege 3392 steamwebhelper.exe Token: SeShutdownPrivilege 3392 steamwebhelper.exe Token: SeShutdownPrivilege 3392 steamwebhelper.exe Token: SeShutdownPrivilege 3392 steamwebhelper.exe Token: SeShutdownPrivilege 3392 steamwebhelper.exe Token: SeShutdownPrivilege 2000 mscorsvw.exe Token: SeShutdownPrivilege 3392 steamwebhelper.exe Token: SeShutdownPrivilege 3392 steamwebhelper.exe Token: SeShutdownPrivilege 3392 steamwebhelper.exe Token: SeShutdownPrivilege 3392 steamwebhelper.exe Token: SeShutdownPrivilege 3392 steamwebhelper.exe Token: SeShutdownPrivilege 3392 steamwebhelper.exe Token: SeShutdownPrivilege 3392 steamwebhelper.exe -
Suspicious use of FindShellTrayWindow 13 IoCs
Processes:
EhTray.exesteamwebhelper.exepid process 2012 EhTray.exe 2012 EhTray.exe 3392 steamwebhelper.exe 3392 steamwebhelper.exe 3392 steamwebhelper.exe 3392 steamwebhelper.exe 3392 steamwebhelper.exe 3392 steamwebhelper.exe 3392 steamwebhelper.exe 3392 steamwebhelper.exe 3392 steamwebhelper.exe 3392 steamwebhelper.exe 3392 steamwebhelper.exe -
Suspicious use of SendNotifyMessage 12 IoCs
Processes:
EhTray.exesteamwebhelper.exepid process 2012 EhTray.exe 2012 EhTray.exe 3392 steamwebhelper.exe 3392 steamwebhelper.exe 3392 steamwebhelper.exe 3392 steamwebhelper.exe 3392 steamwebhelper.exe 3392 steamwebhelper.exe 3392 steamwebhelper.exe 3392 steamwebhelper.exe 3392 steamwebhelper.exe 3392 steamwebhelper.exe -
Suspicious use of SetWindowsHookEx 18 IoCs
Processes:
SearchProtocolHost.exe2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exepid process 1620 SearchProtocolHost.exe 1620 SearchProtocolHost.exe 1620 SearchProtocolHost.exe 1620 SearchProtocolHost.exe 1620 SearchProtocolHost.exe 1620 SearchProtocolHost.exe 1620 SearchProtocolHost.exe 1620 SearchProtocolHost.exe 1620 SearchProtocolHost.exe 1620 SearchProtocolHost.exe 1620 SearchProtocolHost.exe 1620 SearchProtocolHost.exe 1620 SearchProtocolHost.exe 1620 SearchProtocolHost.exe 1620 SearchProtocolHost.exe 1620 SearchProtocolHost.exe 1620 SearchProtocolHost.exe 2940 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
SearchIndexer.exemscorsvw.exemscorsvw.exedescription pid process target process PID 2632 wrote to memory of 1620 2632 SearchIndexer.exe SearchProtocolHost.exe PID 2632 wrote to memory of 1620 2632 SearchIndexer.exe SearchProtocolHost.exe PID 2632 wrote to memory of 1620 2632 SearchIndexer.exe SearchProtocolHost.exe PID 2632 wrote to memory of 2668 2632 SearchIndexer.exe SearchFilterHost.exe PID 2632 wrote to memory of 2668 2632 SearchIndexer.exe SearchFilterHost.exe PID 2632 wrote to memory of 2668 2632 SearchIndexer.exe SearchFilterHost.exe PID 2000 wrote to memory of 1448 2000 mscorsvw.exe mscorsvw.exe PID 2000 wrote to memory of 1448 2000 mscorsvw.exe mscorsvw.exe PID 2000 wrote to memory of 1448 2000 mscorsvw.exe mscorsvw.exe PID 2000 wrote to memory of 2936 2000 mscorsvw.exe mscorsvw.exe PID 2000 wrote to memory of 2936 2000 mscorsvw.exe mscorsvw.exe PID 2000 wrote to memory of 2936 2000 mscorsvw.exe mscorsvw.exe PID 292 wrote to memory of 1304 292 mscorsvw.exe mscorsvw.exe PID 292 wrote to memory of 1304 292 mscorsvw.exe mscorsvw.exe PID 292 wrote to memory of 1304 292 mscorsvw.exe mscorsvw.exe PID 292 wrote to memory of 1304 292 mscorsvw.exe mscorsvw.exe PID 292 wrote to memory of 2460 292 mscorsvw.exe mscorsvw.exe PID 292 wrote to memory of 2460 292 mscorsvw.exe mscorsvw.exe PID 292 wrote to memory of 2460 292 mscorsvw.exe mscorsvw.exe PID 292 wrote to memory of 2460 292 mscorsvw.exe mscorsvw.exe PID 292 wrote to memory of 2388 292 mscorsvw.exe mscorsvw.exe PID 292 wrote to memory of 2388 292 mscorsvw.exe mscorsvw.exe PID 292 wrote to memory of 2388 292 mscorsvw.exe mscorsvw.exe PID 292 wrote to memory of 2388 292 mscorsvw.exe mscorsvw.exe PID 292 wrote to memory of 1644 292 mscorsvw.exe mscorsvw.exe PID 292 wrote to memory of 1644 292 mscorsvw.exe mscorsvw.exe PID 292 wrote to memory of 1644 292 mscorsvw.exe mscorsvw.exe PID 292 wrote to memory of 1644 292 mscorsvw.exe mscorsvw.exe PID 292 wrote to memory of 768 292 mscorsvw.exe mscorsvw.exe PID 292 wrote to memory of 768 292 mscorsvw.exe mscorsvw.exe PID 292 wrote to memory of 768 292 mscorsvw.exe mscorsvw.exe PID 292 wrote to memory of 768 292 mscorsvw.exe mscorsvw.exe PID 292 wrote to memory of 2432 292 mscorsvw.exe mscorsvw.exe PID 292 wrote to memory of 2432 292 mscorsvw.exe mscorsvw.exe PID 292 wrote to memory of 2432 292 mscorsvw.exe mscorsvw.exe PID 292 wrote to memory of 2432 292 mscorsvw.exe mscorsvw.exe PID 292 wrote to memory of 2956 292 mscorsvw.exe mscorsvw.exe PID 292 wrote to memory of 2956 292 mscorsvw.exe mscorsvw.exe PID 292 wrote to memory of 2956 292 mscorsvw.exe mscorsvw.exe PID 292 wrote to memory of 2956 292 mscorsvw.exe mscorsvw.exe PID 292 wrote to memory of 1164 292 mscorsvw.exe mscorsvw.exe PID 292 wrote to memory of 1164 292 mscorsvw.exe mscorsvw.exe PID 292 wrote to memory of 1164 292 mscorsvw.exe mscorsvw.exe PID 292 wrote to memory of 1164 292 mscorsvw.exe mscorsvw.exe PID 292 wrote to memory of 2388 292 mscorsvw.exe mscorsvw.exe PID 292 wrote to memory of 2388 292 mscorsvw.exe mscorsvw.exe PID 292 wrote to memory of 2388 292 mscorsvw.exe mscorsvw.exe PID 292 wrote to memory of 2388 292 mscorsvw.exe mscorsvw.exe PID 292 wrote to memory of 1240 292 mscorsvw.exe mscorsvw.exe PID 292 wrote to memory of 1240 292 mscorsvw.exe mscorsvw.exe PID 292 wrote to memory of 1240 292 mscorsvw.exe mscorsvw.exe PID 292 wrote to memory of 1240 292 mscorsvw.exe mscorsvw.exe PID 292 wrote to memory of 1148 292 mscorsvw.exe mscorsvw.exe PID 292 wrote to memory of 1148 292 mscorsvw.exe mscorsvw.exe PID 292 wrote to memory of 1148 292 mscorsvw.exe mscorsvw.exe PID 292 wrote to memory of 1148 292 mscorsvw.exe mscorsvw.exe PID 292 wrote to memory of 2416 292 mscorsvw.exe mscorsvw.exe PID 292 wrote to memory of 2416 292 mscorsvw.exe mscorsvw.exe PID 292 wrote to memory of 2416 292 mscorsvw.exe mscorsvw.exe PID 292 wrote to memory of 2416 292 mscorsvw.exe mscorsvw.exe PID 292 wrote to memory of 1224 292 mscorsvw.exe mscorsvw.exe PID 292 wrote to memory of 1224 292 mscorsvw.exe mscorsvw.exe PID 292 wrote to memory of 1224 292 mscorsvw.exe mscorsvw.exe PID 292 wrote to memory of 1224 292 mscorsvw.exe mscorsvw.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2340 -
C:\Users\Admin\AppData\Local\Temp\2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exeC:\Users\Admin\AppData\Local\Temp\2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe2⤵
- Loads dropped DLL
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2940 -
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exeC:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe "-lang=en_US" "-cachedir=C:\Users\Admin\AppData\Local\Steam\htmlcache" "-steampid=2940" "-buildid=1716584667" "-steamid=0" "-logdir=C:\Users\Admin\AppData\Local\Temp\logs" "-uimode=7" "-startcount=0" "-userdatadir=C:\Users\Admin\AppData\Local\Steam\cefdata" "-steamuniverse=Public" "-realm=Global" "-clientui=C:\Users\Admin\AppData\Local\Temp\clientui" "-steampath=C:\Users\Admin\AppData\Local\Temp\2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe" "-launcher=0" --valve-enable-site-isolation --enable-smooth-scrolling --enable-direct-write --disablehighdpi "--force-device-scale-factor=1" "--device-scale-factor=1" "--log-file=C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --disable-quick-menu "--disable-features=SpareRendererForSitePerProcess,DcheckIsFatal"3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2404 -
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exeC:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe --type=crashpad-handler /prefetch:7 --max-uploads=5 --max-db-size=20 --max-db-age=5 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\dumps "--metrics-dir=C:\Users\Admin\AppData\Local\CEF\User Data" --url=https://crash.steampowered.com/submit --annotation=platform=win64 --annotation=product=cefwebhelper --annotation=version=1716584667 --initial-client-data=0x224,0x228,0x22c,0x1f8,0x230,0x7feec87ee38,0x7feec87ee48,0x7feec87ee584⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1680 -
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe"C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --force-device-scale-factor=1 --disablehighdpi --buildid=1716584667 --steamid=0 --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --log-file="C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --mojo-platform-channel-handle=1084 --field-trial-handle=1212,i,9404212217483185549,14435706536704771212,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2712 -
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe"C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --force-device-scale-factor=1 --disablehighdpi --buildid=1716584667 --steamid=0 --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --log-file="C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --mojo-platform-channel-handle=1244 --field-trial-handle=1212,i,9404212217483185549,14435706536704771212,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2160 -
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe"C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --force-device-scale-factor=1 --disablehighdpi --buildid=1716584667 --steamid=0 --log-file="C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --mojo-platform-channel-handle=1600 --field-trial-handle=1212,i,9404212217483185549,14435706536704771212,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:84⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2116 -
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe"C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --force-device-scale-factor=1 --disablehighdpi --buildid=1716584667 --steamid=0 --log-file="C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --mojo-platform-channel-handle=1640 --field-trial-handle=1212,i,9404212217483185549,14435706536704771212,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:84⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3092 -
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe"C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe" --type=renderer --user-agent-product="Valve Steam Client" --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --force-device-scale-factor=1 --disablehighdpi --buildid=1716584667 --steamid=0 --first-renderer-process --force-device-scale-factor=1 --log-file="C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2264 --field-trial-handle=1212,i,9404212217483185549,14435706536704771212,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:14⤵
- Checks computer location settings
- Executes dropped EXE
PID:3300 -
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe"C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --force-device-scale-factor=1 --disablehighdpi --buildid=1716584667 --steamid=0 --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --log-file="C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --mojo-platform-channel-handle=1528 --field-trial-handle=1212,i,9404212217483185549,14435706536704771212,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:24⤵
- Executes dropped EXE
PID:3816 -
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe"C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --force-device-scale-factor=1 --disablehighdpi --buildid=1716584667 --steamid=0 --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --log-file="C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --mojo-platform-channel-handle=2196 --field-trial-handle=1212,i,9404212217483185549,14435706536704771212,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:24⤵PID:4080
-
C:\Users\Admin\AppData\Local\Temp\bin\gldriverquery64.exe.\bin\gldriverquery64.exe3⤵
- Executes dropped EXE
PID:1456 -
C:\Users\Admin\AppData\Local\Temp\bin\gldriverquery.exe.\bin\gldriverquery.exe3⤵
- Executes dropped EXE
PID:108 -
C:\Users\Admin\AppData\Local\Temp\bin\vulkandriverquery64.exe.\bin\vulkandriverquery64.exe3⤵
- Executes dropped EXE
PID:3448 -
C:\Users\Admin\AppData\Local\Temp\bin\vulkandriverquery.exe.\bin\vulkandriverquery.exe3⤵
- Executes dropped EXE
PID:3696 -
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exeC:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe "-lang=en_US" "-cachedir=C:\Users\Admin\AppData\Local\Steam\htmlcache" "-steampid=2940" "-buildid=1716584667" "-steamid=0" "-logdir=C:\Users\Admin\AppData\Local\Temp\logs" "-uimode=7" "-startcount=1" "-userdatadir=C:\Users\Admin\AppData\Local\Steam\cefdata" "-steamuniverse=Public" "-realm=Global" "-clientui=C:\Users\Admin\AppData\Local\Temp\clientui" "-steampath=C:\Users\Admin\AppData\Local\Temp\2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe" "-launcher=0" --valve-enable-site-isolation --enable-smooth-scrolling --enable-direct-write --disablehighdpi "--force-device-scale-factor=1" "--device-scale-factor=1" "--log-file=C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --disable-quick-menu "--disable-features=SpareRendererForSitePerProcess,DcheckIsFatal"3⤵
- Checks computer location settings
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3392 -
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exeC:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe --type=crashpad-handler /prefetch:7 --max-uploads=5 --max-db-size=20 --max-db-age=5 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\dumps "--metrics-dir=C:\Users\Admin\AppData\Local\CEF\User Data" --url=https://crash.steampowered.com/submit --annotation=platform=win64 --annotation=product=cefwebhelper --annotation=version=1716584667 --initial-client-data=0x228,0x22c,0x230,0x1fc,0x234,0x7feeeb6ee38,0x7feeeb6ee48,0x7feeeb6ee584⤵PID:3412
-
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe"C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --force-device-scale-factor=1 --disablehighdpi --buildid=1716584667 --steamid=0 --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --log-file="C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --mojo-platform-channel-handle=1148 --field-trial-handle=1196,i,8207329705068364663,10487266065162901732,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:24⤵PID:3584
-
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe"C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --force-device-scale-factor=1 --disablehighdpi --buildid=1716584667 --steamid=0 --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --log-file="C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --mojo-platform-channel-handle=1480 --field-trial-handle=1196,i,8207329705068364663,10487266065162901732,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:24⤵PID:3808
-
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe"C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --force-device-scale-factor=1 --disablehighdpi --buildid=1716584667 --steamid=0 --log-file="C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --mojo-platform-channel-handle=1236 --field-trial-handle=1196,i,8207329705068364663,10487266065162901732,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:84⤵PID:4008
-
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe"C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --force-device-scale-factor=1 --disablehighdpi --buildid=1716584667 --steamid=0 --log-file="C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --mojo-platform-channel-handle=1264 --field-trial-handle=1196,i,8207329705068364663,10487266065162901732,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:84⤵PID:1724
-
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe"C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe" --type=renderer --user-agent-product="Valve Steam Client" --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --force-device-scale-factor=1 --disablehighdpi --buildid=1716584667 --steamid=0 --first-renderer-process --force-device-scale-factor=1 --log-file="C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2252 --field-trial-handle=1196,i,8207329705068364663,10487266065162901732,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:14⤵
- Checks computer location settings
PID:3600 -
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe"C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --force-device-scale-factor=1 --disablehighdpi --buildid=1716584667 --steamid=0 --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --log-file="C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --mojo-platform-channel-handle=1480 --field-trial-handle=1196,i,8207329705068364663,10487266065162901732,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:24⤵PID:3132
-
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe"C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --force-device-scale-factor=1 --disablehighdpi --buildid=1716584667 --steamid=0 --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --log-file="C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --mojo-platform-channel-handle=1508 --field-trial-handle=1196,i,8207329705068364663,10487266065162901732,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:24⤵PID:2560
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2540
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe1⤵
- Executes dropped EXE
PID:2424
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2404
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2804
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:292 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1304 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 24c -NGENProcess 254 -Pipe 258 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2460 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 248 -NGENProcess 1f0 -Pipe 244 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2388 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 240 -NGENProcess 24c -Pipe 248 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1644 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 264 -NGENProcess 254 -Pipe 260 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:768 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 25c -NGENProcess 1f0 -Pipe 1d8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 23c -NGENProcess 264 -Pipe 24c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2956 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 1e8 -NGENProcess 268 -Pipe 254 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1164 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 270 -NGENProcess 1f0 -Pipe 250 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2388 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 274 -NGENProcess 264 -Pipe 26c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1240 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 278 -NGENProcess 268 -Pipe 240 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1148 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 27c -NGENProcess 1f0 -Pipe 25c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2416 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 280 -NGENProcess 264 -Pipe 23c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1224 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 284 -NGENProcess 268 -Pipe 1e8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1532 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 288 -NGENProcess 1f0 -Pipe 270 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2044 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 28c -NGENProcess 264 -Pipe 274 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1572 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 290 -NGENProcess 268 -Pipe 278 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:884 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 294 -NGENProcess 1f0 -Pipe 27c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2936 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 298 -NGENProcess 264 -Pipe 280 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 264 -NGENProcess 28c -Pipe 2a0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2636 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 284 -NGENProcess 29c -Pipe 288 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1320 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 2a8 -NGENProcess 294 -Pipe 2a4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:780 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 1d4 -NGENProcess 1f0 -Pipe 28c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2196
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 1b8 -NGENProcess 1bc -Pipe 1c8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1448 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 23c -NGENProcess 224 -Pipe 238 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2936
-
C:\Windows\ehome\ehRecvr.exeC:\Windows\ehome\ehRecvr.exe1⤵
- Executes dropped EXE
PID:2140
-
C:\Windows\ehome\ehsched.exeC:\Windows\ehome\ehsched.exe1⤵
- Executes dropped EXE
PID:1500
-
C:\Windows\eHome\EhTray.exe"C:\Windows\eHome\EhTray.exe" /nav:-21⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2012
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2260
-
C:\Windows\ehome\ehRec.exeC:\Windows\ehome\ehRec.exe -Embedding1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1416
-
C:\Windows\system32\IEEtwCollector.exeC:\Windows\system32\IEEtwCollector.exe /V1⤵
- Executes dropped EXE
PID:1328
-
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1124
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:1240
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1012
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2776
-
C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:2192
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"1⤵
- Executes dropped EXE
PID:2544
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:2892
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:2136
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:1756
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:2828
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2316
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:592
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:848
-
C:\Program Files\Windows Media Player\wmpnetwk.exe"C:\Program Files\Windows Media Player\wmpnetwk.exe"1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1596
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1620 -
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 584 588 596 65536 5922⤵
- Modifies data under HKEY_USERS
PID:2668
-
C:\Windows\system32\dllhost.exeC:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2492
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
706KB
MD5abc60bd5d4aad97f4aac3dac481c4918
SHA1908e7d96d1917dea3678c9c188d2fbde49ae1e5f
SHA256c74476e49a873882b8eab8142977594fa7fdf395ceb1369b0a104b5fe2eb917f
SHA512ba432947e4dc4c0cf39c19b6bdc286e737ef8625f387c85441e3e11935aef7c08c5d55597278b3e47d97e1c93ef415cf15db64dfa0d6a1d37279738d31685710
-
Filesize
30.1MB
MD597a2fdfeaf091652d04c2fc75efb063d
SHA1dc3c4adb9b6893058c8da9f113bb9dab34fa58c5
SHA25651ffdda57c11bd4a695b9a19cdf6ae0643caa7989e730ae75eb51ffdcf7b993e
SHA5127dd88e7bdaf41fdb4d7be1c4e8823f09cd6cd7bc492f8d5fef427d5f038c776113c74d45ef71817670dc2d9961fc722243ac078919919503b65eba96c4e2f34c
-
Filesize
781KB
MD5b3eff4687b862e61feb62bcf49c3bcfb
SHA1904ab4228cdb070287df2ee9399814e69953058a
SHA2561ffe646df27751dd24e0a61e072afd7e2abf79bfa07b849797e2cdace468d893
SHA512658d3862444bc6142717225c3966c68365fe7125005f538907974e62d051b235abb95eef73abfc25f3994378b364b3d22960562b8233376d0dd728dc09534104
-
Filesize
5.2MB
MD54d2f43018c0556229ab45489d2ba5098
SHA1ba9430cb603df137025aae3ffdf2a857b3c7df2c
SHA256e3ad9c83b79e60f7194ca329e9716c2a607bc7dd185456ea27f97ff7e20cd0eb
SHA5127a404afa9db2dd9ec98d7d417dbb8624ee49f16a3ac7a166ff4f1a7a92c5bfb68e89a18c831f6b563a256f31202ba4d925b804dfc69450e074317f8efb19d41e
-
Filesize
2.1MB
MD544b45e34403bef663f95b94c55d411ab
SHA13b71ecd25f16408ede7716c04d2cebaaaa7c2b56
SHA2561f4fc660425a8861c8e60cc80db8cc9aedf4219da3e4160fbe1ae36dc491e647
SHA5121f2192de50a29241d6ef6d7b5ba816a2408f8e094e0073bd6bec09d3195c99565fe6bb4697b3a0484f5c7e69e7ba8c38242bce80f6f180d4e1ffcc2590e0f027
-
Filesize
1024KB
MD5395b90b5d6e98603b7ffaddbc8383fb3
SHA10a6cbbddf032fbc48d9563957c84d12b3d5c2067
SHA256b378a93abe22dd1b2c4f2bd3025f2141e4bf6b75519956d7f50815f372eb8dfd
SHA5124ac46bb9d50f3fb2486b547ed590624d21ae72f4eccc65b92413cd0944585d2bb69af48832729d3640ca6054f31e45654ddd93b8d26eb449393298eb37834821
-
Filesize
914B
MD5e4a68ac854ac5242460afd72481b2a44
SHA1df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA5125622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
Filesize252B
MD5656993e3d0164948808b479bc177f483
SHA18bc81d62a6d7bfa5ff5f10b951f3981edf676a91
SHA256a8ed7df70b5cfdeb1ef0271354a94b16d656894075076c107e32242be7de69f9
SHA5127d2b2d6a266ecf1f7b1de62e43743ccbb686af40eb8a8c0ecc5a5642b2268bca541e44aaf400db167a69a5a1b6b89e65ae8202e4b2442d6bb25f6d7f05fd3650
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD533c8a0232288fab31006e6b171cea336
SHA112fab1e356f50ca9e2a3456d6c4e7c0febaeecd4
SHA2562aaf9664ce7c23bd9610622ee9d53bf5ef24de847080f88e0da2cc2bf6d708db
SHA5128f1433e6bcd67b1f0378ea60f049b768f84b4441313ac3e716c628eea6f077185df6a3d1fed006615c58af747a286ef825e6e0713571f2819c48bf8325ea65c1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5eb859cbdff6c369b1ce507bc061fbd33
SHA12e9d338086fc89b7b833e8aaf52cb0dbcebb45ae
SHA2560c6b61677f38cae65a304624835d5478c619db29b585163f3c3c037fdb9c2b39
SHA512cb042766a6589d7404b9f53000b7d9fdfa58406b05e2e4d2ce641b8ccb41c01c3a19603ed836cc208638eeb312d8ba853d329b8c57c22ecd41b727040dae7e43
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50abf694b69161832bc75d4f574b1a54f
SHA1a3197e8918f9d36b9cf1bfc77318803deed3eef0
SHA2565d47eafc4bcf4fc73d9664b2d962c1091a327389747726ba1193332794ae6946
SHA512df32dace87562a9e07e8197d49a55420bc8a09efbe88928fe9fd8ea20a8ff5c353c2aa138a1bcdc288b76f08dfae73eea9a863b003b5eb924ad5aec625d75fb0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54a567dc000c594d698e991233524a902
SHA1f715eb218995d997e62ccff2a055885ef0a1d7d9
SHA256f08112b7a56c22e86c4db21ecba3c870908304d5cfd8a5ec3297ac7f209713dc
SHA512f4a3553031c88fb0dd835e31ad3ff80c5875ac4065ffda5700ddf730fc888dc4af3d57f44f9dd9d2a96af9cd4ecbcf8c17b7f780b673d14d4efc9a75624cb783
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5193cd06e774817818a1d180b8c94d236
SHA1d99c568c1e94974574f534eb56d4dd4f1a25db85
SHA25675669488eeb223cf21263dde5f0ac201e5d60cc89399a827475d093523631f17
SHA5126a6a1383ce2437f8e7a18471c7d6b20b4ba5be63cc73da147c66a2ab1c3ba896d909587e0ada83301831d0cb8731eb8086e8ae5465c659966a23d0c7438a790a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55ce3607a186d908398ebd5fd030e5d59
SHA10ed6b41df6ab5d1cd899f90644d5473525cdcabf
SHA256c392b69e387d6f8b03611cab24b533aa56e949c9bc94c8dda6dad2be9a3865ea
SHA5120d95356ba068952130aaedcc14ff3a918959aabff197cbe1a86527a912df811f983496a0af3f8eda05c0ff38a3a44b32b8aae410dd4f9b450b738a17f3b930d6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d6a3a15dbab2bf24ee4dc5afb8fdf5b6
SHA1d59731c6c0c51c962d1382d59dc45d195adee995
SHA25666fd00805ea684fdba1c0055ab745e42108ba73412685b04b6f2bf39022c2bf5
SHA512fc7ffb252f00c34dae47c790a04e3b55483b38b97a07c498d27db6f5487ef806ab375d51901bb9c1e87d9bbd28a7d0ca6cc21fd603c709e0a3e3f549be87df12
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5396f07ef719ccd123231808533425ddb
SHA1cf8c34fea0d6c701476047cbfa8f449e617b91f1
SHA25683347b7ef2688c269eccd7515a0b4265f47b808fa8f8147875701a9c53c2fa0d
SHA512292960f0673ff532f9a0cd8a615c26382b22f2c04abdc723957a10d1db1bd58d156d4f497039f7420feab96de958722fddd1d7fe4cc968f4f6072a524bfeb69e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a16b6e0c2ca577295dcabe7c41738bdd
SHA1fbc3f1fa2bc968a40b52357720f9323041aedaf8
SHA256e924cdf8476cc7724e2b005c3520dec6271e83d751c5124497000d823855ea19
SHA512b9c0318355cfef0f1509a35f030ba54eb2c4e30842eb5c3569d12c41f4b553393752987ab4ef7dc0bd2ba6ea481aa6a9e54efa9e404a6ee072e84ec6fa3c5a9b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b5cae9cb6838ca7739961c8438a451f2
SHA1ad8308c93e9d42e4c9c9bf34b9a45613a20d0089
SHA256b3fa5e3a70625c97e0a803ad3062da616eff66e5b9caa2e8e4eec29c5c835bae
SHA512c29e4e7abb81e58fd40fa96ff3c5edc6ce90ad3cbc0f2a8393ff0820bb1fd6000c9e9ac09f7d4ee26fe19679e03a4394ff630046b6a781a9fbfdfe245e803ec3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ecbbb5c3849f0c8db23f662d2abe8056
SHA165e87c7979a0f3d737767134c552d005506e2ef1
SHA2567714040408273c31d3a6c2612a075dc3645e396e24339df74835d7bdbd3be03a
SHA5127be210e1112dc904e10167bc137be38cb7194135a68c7f7bd027930661414fc664766d965f3b375a2fb23d19bbf865cd93e59b640f80b1183122f67a1fcee2f2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD585360d44636f016b655c38ce2bfd8a60
SHA1637b6b3189fdeb98e32bf217e36420b25af890d0
SHA25668ce632adf2cf0fe45b0d80af6e3aca3419edd9cb11191669051e01268c388bd
SHA512539363c2178aba479eed9fb81ba1f72c6731f92a586e718ca702096b7b20baa2349d7ed27b25f667130b2552b5390ea0e4a87c5b75dbe78095639f9e0934a6d8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5610313f5b1c1505ef440b8805ba27b96
SHA1f99a2a1943f5cc21cd7135ee9833be570e783a9b
SHA2568836ae3ca9eb1b27cdbfe5d952979afc5f311c178d250e19c5cfe403348dd60b
SHA5125a14402a4954ebbd4406d3c176bb19566d1b92c4c7142f6e4cfdd93bf0e19d07052407ea27d2fa4585c1a598f343a2eaa50ad86afb8d4b0be8b74fa35e801589
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53b96e469e9b6776e906a00c6ea0fdb56
SHA1112f176f6adb389a42cdf21efff2ab12de26e255
SHA2562825f99c816a59f960e6988eb758e1ed09141826830ed34e815e87edd41ce6ad
SHA512136b5e709a4a989d5abbad297c40cf118504d6edcfbd0ec7de8e1e81ca22bff5ceae41473b04c66ed454556ad7fac19298b346bff74b358a022509f0513c2595
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD558b48f8a9f97cd55af52e92bc204f3df
SHA1004b1205b218699778a3be626983e9b3777242f7
SHA256c372a4b557a299940baf25e1739e72bcaac13b4dc2fabf7ff5bcd5d18ed8f7cd
SHA512f524c2b822287e1d4d70aafbe2ed7b8acc807c4c993beef383e65abf08af31fcd68b104f22a2cef94b1ffd0e2f9291687c79fde6a46b87a325cc51943baf33f1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5bc5a4c0ceebb5675aa925a5a06cfbc6b
SHA10b8317e6d3c11de73b4e8994ea56cbee1c207e96
SHA2561513977248092e2de6d18b99d2c70189e9ad0fac783ba449d877ef21197c360f
SHA512d194c0f70a1d7c2a552269565bb5276b42221ff144d7a7b41d31e2cfc2cc81da8c25ad18089a169455c55fb85125fdaeb40612d8109b9091768f4831106d9a8b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55faaf019454b600a3200de9daba5e26f
SHA159d73b17e3341412b773c0ea136cf9fd112e65c4
SHA256d481bceef3f7245fb373dcc3355c011179f0c503a1acbac4acbe3d40d47972bc
SHA512260b8222773a81c08686df66f494a14cd7531ecedc6a9a4b684a46760f6483698f780bb28fd0faed809f4f3a75e0e9dcd97409f9cc0f70483a469c86721931ef
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52f8570d511b119153cffe6d17d4eeee8
SHA1866a57dffcaf2719e5911896bcce813afcb154aa
SHA256e5b5f2a55cc290be7e636fb94ee05f601366d06fe45dae9d2754057ed16e4462
SHA512f56b6fe664bc8537884f32f68b1a01286c3314b1c687d554c731f029146b97e9e4c9309c8a47615472b2c509508d5a78697bc1f64c0b83703b52f5e1c33dfe98
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59eca3598d7776caaaaf59b9222ee238e
SHA188161313ce79879e2ce482cc4d780a94ffcacf01
SHA256226e14f0a7f43f06f310570a4c42d9324cf33702bf98dafdc84dd0ffe396d65f
SHA512a5bc8ef7e1d8a3e56d64d8d9ed5b9e534ca95890078d0be4ab6f3d115bc347df0aa1a5436da783cf93b0d22c24ac652716dfdaba58cbb71b1167574ea7b46ed3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5378dd73201ff9d0c8e355c3b4ac832d7
SHA1c27cabb94aba497243116b921ced3e6efeacc91b
SHA2561062fca545938bc1323660fc592401d6d4e0e1aa8bacc6fbe2fbb63a11ccaed0
SHA5120dd3865da956f76fd992901fd9e2a26859adb630048e496f8d3e043d9e65d8e4962fd24b802ceca01106d4b6139d714a488d6c6c13c6328cefaf74e4b4c6e33b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c5d45b73d61e6c88331753f77a723182
SHA15dbebfac861ccd06d4fb1ca1f6251e16f0693580
SHA256e185623d36cccb91514c0129a23c5974c31d7bba0e288bfdb501116a9cf9396f
SHA5127da0d8aee5c6171734698fdb130843e028c1aea394c5004b0a47da009bb49148296af06ade6298563ff807ae6f2225d3e96a55b9ff3677ec945bb6ad3eac65b6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5721c20b31eae6a9d410eb8634c970b30
SHA1d9327e90520c4df4cc7c4b4978e4119bb8d7a506
SHA2565f667c4c3ba95e0149aa3f956802700d384f2b2051de8d8d47386dae17428285
SHA5123e37ebb3a79fc1e1e3f46591508c7cafa0ea3f7688573148a4b133c78c765e3df29907471c6cf64c899ab7610ca1df17d5b6a5bd088bf66029b9976c1d27cf36
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53c4c62908e81331e48426596617a48cc
SHA136c252b650efe6ce169c08bbe897fd6b1c9ca273
SHA256d2105221fb92a3f3353b210df6f04bcbb62c5ebb1e18627df4be43a46041b3fb
SHA512fbf4de1e9a9c745c9631ca1e3366d2fbc1adb287c63659b52fd6ce5bc268f0b6b5bfd283428b7cf44d2d3c06b0147b0f3893f8dcf553db29712d36c7c2e1293f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD540f0b27d7fac0a80176692202242ccf5
SHA12ae71973e9079583d5c8403f0de08e7a7f2e6899
SHA2564b2dbb0071bb78ae3acbd599135aabe18bf23c3536d2fbbac6f86fff70aa8f23
SHA512f034e0cfa0681039bf2175b121cbae27d68e71b4fce5bb8c94df7980d7144118807fbb4178046d37c975a3604b71d03911526a9f5461ee836e8283edc58d443f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD519b2b90283a7b6d3a03e2243210a4c9a
SHA1c4954628f431b0ce6e7d6ab178ddf0d56a144812
SHA2562210b91931b0d4d7a8d7d7a068e58e158cf09f7b08586af1c2d118e6a03e17d2
SHA51243fbd6b50f9d2364880ef67dfe10a1514d1be5b0765d124b0d95cd3fd514bd7cb6711f5f09a643ac6fd0e67ed24133d14b0f3aa510befd4a9769176b0f9b5252
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50d93fec50c2de135d43f0c5e6515bb0b
SHA18ab343fa3f5fd36a084ce7f290388dee8bb0d76b
SHA256c0217d9266fcfc5c2250e6980a8cf93a177ca68a43b2dc9886f83eb0f422718c
SHA512e878eecf48b2fe1228ccc5c100c1ee358620cc1c8b8ea48d9a48ce0bbe0f5133a399507c01c4b6d70c99a238c48022c813f1aebd752beeb0b8ac159632c77031
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58710e7d6b39794faf0cd43b58d291658
SHA1e9b58985bc6d5907e8ca09ea10d604bb5ee3b669
SHA2561930001f87e43760a46caa1907237208167377ced338ac0889ac70cf9e5cea50
SHA512c069a64db6b049f9d63c4064c7411261023947818135979ccab8a09916e5d40bb8f0c6423c85dd2358a8318c48c020c54c753cb9b75ee61acd1fe7b94a44cedc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD540d0b96e4e95a7187f1803ec8e656d87
SHA15840952061c5c6bd83d73327d0c4602fa274420f
SHA256cb91551c5aada58d19cd1e24685e768ace0cc99ad1e498be8a70c9fcfdf7e552
SHA512a8612792440c937e8e2dceaa3026c25481620dbfdc988442a91f5cca0e5099beb9dc25c491e725d1d82315415c15c3fa9113d73a9bf69402c4be3ad2d019a69a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51a00630c02a0f89e9acc1c5d8f4c1d3c
SHA1e7974cc673a9c9aed3aec5e23d18ea920c42d445
SHA256cf85ada73a034295d21ec1a6283ecdee9ecb0e9d66c81cd15fd8a0ce2da4d6c9
SHA512fef509d8e603361e16e8779079c360805abd0248840a0654d2152aa04d5aa500b7d0036fba108ced1458ee37882a82b74429b3d08af13098e29aefa8c847eb6c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c6a988d2e29aeaf53d2b8011b360016a
SHA18704450195ff4033cd74132bbd571aa1a1ae87be
SHA25690c928776a895ccf42b71832f2e2c0c71e2ba7d035d7b4d640886e1061321dc6
SHA512d3509fe9feabea1dac2b74499d15113df797d3098453e5c499fa071eb2b5a8c4d4c1a6979aebad0c29c4ed1ec2b25d4a974aa30dfa5739ada14cc3127b398051
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5da08cc94d71e20cab51f0ae2126696a8
SHA187a056309dc2f0599b96d301f86a9844f2759a53
SHA256668b7d9a2a20d5d678d48ddd73bf3298917278d03ac87c240090623555b1a556
SHA51204416c151e5cd2fcac626e512d0289c8e8bfcd35558c3a747a9c5e213722496a3fbe0e7d189d7453e16b7b6f6b0c039c970d6b072a09b2dbf13d2d3f04cf7e5d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD551256378d7e7a20053f8aa47d860f258
SHA1bac7d3e5abc32c2b8440074a7201a1cda39ab84f
SHA256492db79ecb7786552c947f374bf5345fe9f760ee4f640232f7db2aba89777ff3
SHA512e1706c6ac395be64a085ef6186e84b1e1afc04b0f6a8446e8324d1b7cb912a8e9f0a9bc7fca80c113a0eda81c83a2afc517b1f0242467ec645428078b339235d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b60c7d5255008a7edc600f4a1f30c843
SHA161a570bf94472fe2a23445d8d936313f737902bb
SHA2569eb31bc9b6499d9d72024eb663a0bf2f559846287ffe40d235feb7c9b5351d6d
SHA512a450a485050c9b542fb88c1f4de184f35fb5b29eaecf4154b8fd168ff3b34484b73823e643d610567bac21fcf74b0b1004040aee55cccac68e031c9453931e3f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50597210563b2d9ce40b6ac7eab3133d6
SHA1d069cd305bd64cfb3a6d3a497a2c7d2ce0bcdd55
SHA256ab40fd0acfcdbe98541fc721ba4b14d3dbc39ee15da2132bdc8ba34e500487d8
SHA512632bb9e978366d4c698d3411013aa19a3dc772520754140d437c02b259826023b8be36f772695cd526a13fcc76089ea403c23e39d377bfdc9433b506fb6698d0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5556cf9e7c409cf004383b42e3a5b2e88
SHA1b16d7d564097803933c08363ec0aa9f383b0a629
SHA2569f86ae890e39c5a30f41251ac2b9ec7bed361d0600b162f460d6c4ef68e48d2b
SHA5122c0d9b9e16a010d87ee1136e31ad90f919a1ce53a2ecb0a2cd2bfc06399ede50c3a24de454854e4e547ae8ac0448a2b5fe346d656aa61f52c58e87b348d2d1c8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5de006e7d496c0fb61e44b5573f736dd3
SHA1a7e5c150c03b92c3c65363b835446cc9b698bef4
SHA2560c5807f08463bd66590e4d717e6e8ec2bebb58ff2761dafb1c8cefbd905c4414
SHA51212d60183e95b645c1e32ee02fb30c9eae45fe665fd29b0f8bf1f8aba4b61f2faef5b0c093f28c49d1afe470d9bfd3767fc86a8a2836abd0cc10faccf903e485d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c5eb0d3a407a3e308ecc81cf1d8976d6
SHA10eec90db493c5bb96582e0305b2e85e50cddb076
SHA256473e7440a12c81e9bddbeebcafb3ecf126bef409d468a8b1c7500dc670cc8ebc
SHA512815383a788846a74e4b60849eee4bce0cdf9ab46360fe867df7b646ca4a3c2871b25ae1a1ff3cdeecc6876cb33653abb9744a29935b26d33725137adf28ddc4c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5812065220da1caa60f9acc09ec4e9610
SHA1db2285cbd83e2fd95f15d685cd8d82a417b16307
SHA256397c422f59bd26c5bad2b49518a775537442c53c244d8fb5a6bcfa52c013d0b4
SHA512bb4e32456ef03b41c3a095a6979e0beadbfb6e55aac619cb5bf0550c33efe4db9e0c4e4167f51765b39b5c99ced3034cb09efc3babe235f48a40a70e8a9937a1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5101ff78d1458b1f69883fb0b75dc342a
SHA19d644367d2afb8d0addf173503b5ace10614a072
SHA2562f58cfbdc2f9e80ac4b3a5a885ae16e24950cc13d594fd0ec62948e9d4b52fb3
SHA5128dc44c97f25c945d4c098eee93374e854ff5b0f6abc917117065f9d92fb24b2f0e8f1797af8d9ac567d64c735bdb48453f4846df8d676b17fff206e527724fbf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58302212a1a680f6aeb731f72510cf0d0
SHA101baad6bd18a7eeb691b4a7037b034d55dfbef41
SHA256c75deb50f51f6362cf6d67713b8243aa4186ecb5426c580f2fae0e35e475b6fb
SHA5127adf505293c11700dc0e99b7116864bc043302ce6da9cf377496beb8b4e0120a443e3306784258b42e49aa5fb0e7cd54f96d4adb2fa29aeaef2ae3369dc1ed8c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize242B
MD57cc934642928cd5310ab73ef4e7fe583
SHA1eb1c01b9382e824747af4b66bf16fc4586aea445
SHA256dcd25e6fe207f130aa262b46d946dbf41798fbaaad1174f4dfa1e6fb67d3594e
SHA512f6a8216f39b6ab1ac41df7805f9c7959b79d6211eee019a8f37e7cfad5737e52776cf23fde4d1395ec9e5b097f452afd398be3ec62d60437787d16fd3f354c5a
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
8KB
MD5cf89d16bb9107c631daabf0c0ee58efb
SHA13ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA5128cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
8KB
MD50962291d6d367570bee5454721c17e11
SHA159d10a893ef321a706a9255176761366115bedcb
SHA256ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed
-
Filesize
8KB
MD541876349cb12d6db992f1309f22df3f0
SHA15cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
C:\Users\Admin\AppData\Local\Temp\package\tmp\graphics\[email protected]_
Filesize15KB
MD5577b7286c7b05cecde9bea0a0d39740e
SHA1144d97afe83738177a2dbe43994f14ec11e44b53
SHA256983aa3928f15f5154266be7063a75e1fce87238bbe81a910219dea01d5376824
SHA5128cd55264a6e973bb6683c6f376672b74a263b48b087240df8296735fd7ae6274ee688fdb16d7febad14288a866ea47e78b114c357a9b03471b1e72df053ebcb0
-
Filesize
20KB
MD500bf35778a90f9dfa68ce0d1a032d9b5
SHA1de6a3d102de9a186e1585be14b49390dcb9605d6
SHA256cab3a68b64d8bf22c44080f12d7eab5b281102a8761f804224074ab1f6130fe2
SHA512342c9732ef4185dee691c9c8657a56f577f9c90fc43a4330bdc173536750cee1c40af4adac4f47ac5aca6b80ab347ebe2d31d38ea540245b38ab72ee8718a041
-
Filesize
23B
MD5836dd6b25a8902af48cd52738b675e4b
SHA1449347c06a872bedf311046bca8d316bfba3830b
SHA2566feb83ca306745d634903cf09274b7baf0ac38e43c6b3fab1a608be344c3ef64
SHA5126ab1e4a7fa9da6d33cee104344ba2ccb3e85cd2d013ba3e4c6790fd7fd482c85f5f76e9ae38c5190cdbbe246a48dae775501f7414bec4f6682a05685994e6b80
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms
Filesize24B
MD5b9bd716de6739e51c620f2086f9c31e4
SHA19733d94607a3cba277e567af584510edd9febf62
SHA2567116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312
SHA512cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478
-
Filesize
872KB
MD5acf366189cdabdd050816b2ff38525b9
SHA1f95644d355f8c0a790f401ff4665b0592a21d0c9
SHA2566c81c71246795451046a52e5468b02bf4f6457a21621055e68b054e0045668b0
SHA512a6757368128388ff77430e7c5a43cced6b0ed9c767e408b9db7db9994acfa96f1ee2d04c715e02710e6b2acab4a96b1ddab448c3db15a06918744bda2dc743c7
-
Filesize
678KB
MD52236b2e8e7e9cf8191caa16e0d6e2465
SHA1bea596ee00edfca4664578192ba3b2308ef1dc2b
SHA25613e055975b3b4ac32a2f05e86eb9bc4b458184206088583c46ced957a06a50ee
SHA512b1e91105a66a3872bd0abd4df74e6c02271215cae22d88703b82c5658fd9b9f45e4a37e11a57d83f0b5228adcaeb18251a73e2bffcf7878166b230b10ed804c4
-
Filesize
625KB
MD575ebd58ccff537b1762cb4fa4b00bf8d
SHA1ba7c3bcaf3908f38f7b541abbae823597754d823
SHA2563c0e33e20b15742c6f042cba55ce6e2eddad31d1f873781727b528dd3bda83f1
SHA512ebdb7c96374970e0bc62546de465e34a322ab726e276014bfd321696eda210c2dbb5ae810ec8a85c4cf5377445b8776a959d1a0c8e28fc208dab8d62a0a77144
-
Filesize
1003KB
MD54a501ba1cc7b1d70560b8f810abae810
SHA1e7fcb6949b0b31aeccde0dd37c9136987b4f3c83
SHA25681ed65a994b229715d42a6202987201999e587a7ce7b9f6029deaff00a01e6c5
SHA5121184d802fdb98bcdbc731ddcbc6a7ce0f99bb0c3109f24cf03e5901322c383aab4124ffd09340c9357d69554059c61b0c124ecb15bb1e41d6b4650f66eba1b90
-
Filesize
656KB
MD52ba281fdcb3e3e92f456086956dd30b1
SHA146ef2a3358a2dde61d3803e395148368342ff362
SHA256257a1ecf4c446b529eb598e839acfe6e2e7a455cf994c4ef8dc9c9f2c5803af0
SHA512492a7d9a3825015fb93540fe7f7056b03c44258c551a47ce1891fbdc219937c4bb7fa518796c58db61e54519e1c51d882bd07866de86f970e2ed8ef2c432975f
-
Filesize
587KB
MD5baa09ee0ec770b5c59bf7198de9d2e60
SHA15c35982f3a0e64da0be5568f18b815364bb5cc08
SHA2567aac561f7f950c302dc3d7e31abe3b9b13c2c3c23f8428a30b7738f56fe867bd
SHA512bc61af862f242adde5200c34858649fe983cabd1b25d358fea9398b78fde4f81da45533161f64f36d634fedbac019a647fd5ee26863d8fb569aab893bfcd9cfc
-
Filesize
1.1MB
MD568611301170eccb498b3cae9fcae4c7e
SHA181aaae43a5dc12d189cf3ea256dcef00a7a4b6d6
SHA2561c4ecf7e7f3147183089811edc94ef0908f315c3627632f2e103e51af01f186a
SHA5124d5d2fcedf9136bb2a5324f603cc0c12c0134b18be9c4058e98fe30e52e77db20d308d4981a113826c72748894fd2622b49f9f5659aea9c3834437e9507274eb
-
Filesize
2.1MB
MD5ea26765a6e3254b53fddbea9db383147
SHA1c4863a40b9b75c2fdab0d41f90df475d1ab6d867
SHA25602078945c824acc8e0a3f720907b7c6ad8205ab75a9ac1905f7c61986496986d
SHA512a309a14cd3e7348c7a3ed234de2699c4a784b4303b30d6282dc0dfe6fc94497dd58ed92d36c0ccf836d310ed31611533b958fb6d905f60568040c6b72460b7fd
-
Filesize
691KB
MD5d64a921a2f5c7b1b60243bb001539b93
SHA1089c6e0c16172f018d4cfa6161efa7e8c781c884
SHA2561c24eec1748199bce0d0cb0a15cf0434f746ba5e1f8bc39b76eda1699439f069
SHA5129ddd67115feee527c4d09fd2f98e51f1a19873302406d9c05730a136741f8ac7be308165bb26cd44b32efd7f03dc58f9c96c7401bc1eec9989c129d17b5aba6f
-
Filesize
1.1MB
MD5d62ade3c815a04b370cfbad741942202
SHA19d19a1d0d74402d86706e9d1ebba07d8017e2556
SHA256d47674a41e330c39ca501e9929e276b8de2d7bfabc89b76a59816feadf515168
SHA512d9c39afbbc0f0112ba5160e2b72402e5d45ad0f44990176bfca89410e9ab8924ff3200360b7430402bd073e90e36783d5e2c9e1beedcdfc45394deb55227802a
-
Filesize
765KB
MD50485ea5892243651594ff6b225f47927
SHA19df9927c3a5c1620eeec6d9259f936838d0e3d54
SHA256a32a04a7327e9d837b24888cf7b9f19cf60ae8f310410967920b4c4b5a92fade
SHA512ecfdce29dea46b04f75f75f24a05843681528405447a7eaa38e08e9588b4333e9a1eaccaf6e1c99eac32ac65b1df0caa1505bcafb6480f044459a68183db21cb
-
Filesize
2.0MB
MD515a468968bb1c157b5742f631de7e22c
SHA14efecc7e6519c7ccfc3ac38448552bf450ff179d
SHA256d4b79ddef19536a046c1ec78e2915e342926294aefd9eeb7a8199b50fb2d0413
SHA512e7ffafda1b0aeb20e127f9e99b4b30e6d4cc578af104959a290d1b532d9178aeabe1c094b1adc28d0ff4a1d3da0da39a62e82a5e039404a80510fd61ec3db87f
-
Filesize
2.0MB
MD5731b72233bd9e93921091f7759d41e69
SHA1fc089f2a0eff9d48f17b6485cfa455af27c5778f
SHA25660a3b73c6c893b611af9ca0a51c52b8a91cd603af97e9d945831fdd313c17b75
SHA512f536546f3fa3c6eccb40b4edd13a6180c958c1221759a1a067369c3a7100f723d33a8a2c746944a6a22658ad676a29e1e54778ed98817169282bd93e789b14ca
-
Filesize
648KB
MD527b519c0e6cc0746642e2ccc8768127a
SHA11db51fe0fe788f559f8c11107c8ca5e6dbc7fc48
SHA256e8c10b65d36344c09a675056dc9a29012dc0e576ff159ac8c310e0a5887fe5f2
SHA512d9842845731c5f67d4a3788de627a2da45ed5867155a53f3f9a8577e64b9d89d61340116790a306644bfe6000ef8e0a2c160a0ce128509f7912adee0824849d1
-
Filesize
603KB
MD5cffb7797476a76983bd3bf34589b3a36
SHA11258abe79766433b6d96c62c2fa6e756563ed7b3
SHA256023265871051063640796afa3a51a33070a15d8c788eeb23ac039c680f92a987
SHA51297dd2b2fbd989ba66bc99d2ffc41a23af5f7080753bb78a6e7e4b73ccd407eb2a6aba858314ceb2c75ade4a22c01174fb28cd8cd300a5a3a34ff760b7a17c577
-
Filesize
577KB
MD5bc833ced35560215341440d3e188bcda
SHA1f0ea64a5ec1447b8277e45ea9ff1ca39130bd3f9
SHA256946f75269863f6aaae90d337283672d180dc81b820ae57e9fba2b4831046406f
SHA512fb3108012e34d007d9617914472d5839c0ae877634767c63a47061d616db3512b76231bb4ae45e3a8ddc20be72ceaea8dbbcb1af4f8dd1dd53b13bcf73a12c4c
-
Filesize
644KB
MD54338cbfdf63d814451856a987d84322c
SHA12c6dde7f2529aa8c4c4a597af7fb5f309f45da2f
SHA2565838b458885ef9e6b8805f3fdaf44a887fe28dbe5cb53722520dc97647c5ebaf
SHA51222ae6a960d465cea9d79e59e2f3b1b805d4a64ed62690471f60e1a0e1556e91921649afa2ed0d9c626c9cecb7aafe0a78cc90e0e97bd71cad860d738d591a0d6
-
Filesize
674KB
MD5e7e56eff53a663d2d0496ae547e8b51d
SHA17ead13620cb6b0c255fee9933744151e3c9bd3f2
SHA256d1dc025ca1494333097bb3b02aaf99b31907eb2fb4491150a3de658c13497ada
SHA512aa21b73c5e751c69a4409274053a603be432dc77d334aba8b7fe0b5c87bd1af4db8e252d555f715adca4c174662869115c5fff22eb60b8c98ffd52eb64be7ab7
-
Filesize
705KB
MD5e16bc0d06e4d21c2614602675cac13c6
SHA1ed5a290c49fdc748e4797f4a1cade68671d10862
SHA256900e21ae39813333c979065d7779730d3106fef85be7e9c9d37fb2c7de4e430c
SHA5120bd3975108f47a80a72232ae41334ec479007cc32381fae692b09f02bb3de070e825f81559c3e22bf13baf49cd91535b906fee6fb54349a94e9cb6fc502ee211
-
Filesize
581KB
MD5afc26041a3be07d53d83563dc27233eb
SHA1f485c95724fc5751b80fe90de9a2943ec4bde64e
SHA256bcd05c90f69c6b270a5a58d476f9fda715b553d3518a03255999a2b19ff36398
SHA512d41227b7a99dfa91491e0b71fc7cc68f67d712475285999ae2d0cfe4780c78b85fbb2cfc35e2ff8bdcb4ef174b998d71d772e3561b9d14bc6f8a16d6168de8ef
-
Filesize
1.2MB
MD52db802f69e63ac7dee40a561ba81c3b3
SHA13979ddb991bde3bef2be4938ce78f4cc2c0e7586
SHA256616507d872ef4800130799e1169e537056fd32c47a2423c894de73b692f45177
SHA512da927f83c0366869d8f65bb19927371e8919b75d17bb7d04b764173ab8d6c28329799234412596822641207a737ffc95120cd44e860499dc2fc0ff4c3890981a
-
Filesize
691KB
MD59018ff24d313fe8b9bd07b3511a65dc0
SHA1811eb13e08a7c8c36b648710b398d350dcb71481
SHA2567c4083b50b9910b1e17d0af462354e180c47f7a29ce914887140e2b63e423abd
SHA5129ed425a8b250ea51d6658c716fd11680c769ee140cca860f4af87a7098408d3480b48e3478a88b7e0317f4896719ed6dd334ec89ca11026869a420990d753a75