Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
03-06-2024 10:25
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe
Resource
win7-20240221-en
General
-
Target
2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe
-
Size
4.6MB
-
MD5
06bb37eb2744eb9f23cb1a25b82c5845
-
SHA1
fa416078604d02d9e222200c50f9261b833891f0
-
SHA256
4ed1bd9470e986123ecadb2e316fd2201f008dc9735fa12b1c1dd5dcb89a6dbd
-
SHA512
70838c38fd682874f16839115ea9f45f0a6baa6cf431aa591e481c648026ffa8669c2ced9e2110441722e34390963b1f53519275a20c788cc5459f4427d082e1
-
SSDEEP
98304:rDokH1WPirCB6Ijt91p2GWNzSC34g2FiiIVD527BWG:3tHSi6XGNNiE/VVQBWG
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
steamwebhelper.exesteamwebhelper.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation steamwebhelper.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation steamwebhelper.exe -
Executes dropped EXE 32 IoCs
Processes:
alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exegldriverquery64.exesteamwebhelper.exesteamwebhelper.exegldriverquery.exevulkandriverquery64.exevulkandriverquery.exepid process 436 alg.exe 4444 DiagnosticsHub.StandardCollector.Service.exe 1016 fxssvc.exe 5028 elevation_service.exe 4284 elevation_service.exe 3628 maintenanceservice.exe 3528 msdtc.exe 1604 OSE.EXE 4632 PerceptionSimulationService.exe 3296 perfhost.exe 2148 locator.exe 4496 SensorDataService.exe 3476 snmptrap.exe 1940 spectrum.exe 3828 ssh-agent.exe 3744 TieringEngineService.exe 4872 AgentService.exe 344 vds.exe 5084 vssvc.exe 3960 wbengine.exe 3180 WmiApSrv.exe 1260 SearchIndexer.exe 6832 steamwebhelper.exe 6976 steamwebhelper.exe 7224 steamwebhelper.exe 8068 steamwebhelper.exe 7824 gldriverquery64.exe 7736 steamwebhelper.exe 7776 steamwebhelper.exe 8548 gldriverquery.exe 8716 vulkandriverquery64.exe 8752 vulkandriverquery.exe -
Loads dropped DLL 41 IoCs
Processes:
2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exepid process 14244 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 14244 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 14244 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 14244 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 14244 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 14244 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 14244 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 14244 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 14244 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 14244 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 14244 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 14244 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 14244 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 14244 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 6832 steamwebhelper.exe 6832 steamwebhelper.exe 6832 steamwebhelper.exe 6832 steamwebhelper.exe 6976 steamwebhelper.exe 6976 steamwebhelper.exe 6976 steamwebhelper.exe 14244 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 14244 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 7224 steamwebhelper.exe 7224 steamwebhelper.exe 7224 steamwebhelper.exe 7224 steamwebhelper.exe 7224 steamwebhelper.exe 7224 steamwebhelper.exe 7224 steamwebhelper.exe 8068 steamwebhelper.exe 8068 steamwebhelper.exe 8068 steamwebhelper.exe 14244 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 7736 steamwebhelper.exe 7736 steamwebhelper.exe 7736 steamwebhelper.exe 7776 steamwebhelper.exe 7776 steamwebhelper.exe 7776 steamwebhelper.exe 7776 steamwebhelper.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 38 IoCs
Processes:
alg.exe2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exeDiagnosticsHub.StandardCollector.Service.exemsdtc.exedescription ioc process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\521dbdb1c3136770.bin alg.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe File opened for modification C:\Windows\System32\vds.exe 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\alg.exe 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\msiexec.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe File opened for modification C:\Windows\system32\locator.exe 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe File opened for modification C:\Windows\System32\SensorDataService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AgentService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe -
Drops file in Program Files directory 64 IoCs
Processes:
2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exealg.exeDiagnosticsHub.StandardCollector.Service.exedescription ioc process File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe alg.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe alg.exe -
Drops file in Windows directory 4 IoCs
Processes:
2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exemsdtc.exealg.exeDiagnosticsHub.StandardCollector.Service.exedescription ioc process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe DiagnosticsHub.StandardCollector.Service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
SensorDataService.exespectrum.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe -
Checks processor information in registry 2 TTPs 9 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
TieringEngineService.exe2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exesteamwebhelper.exe2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz steamwebhelper.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 steamwebhelper.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
SearchFilterHost.exeSearchProtocolHost.exefxssvc.exeSearchIndexer.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ccfa2f59a0b5da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000aabab5ca0b5da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002ed3ce5aa0b5da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d4f1e959a0b5da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ccf84e59a0b5da01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004ce7875ca0b5da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d4f1e959a0b5da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000043a4fa59a0b5da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe -
Processes:
2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exepid process 3688 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 3688 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 3688 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 3688 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 3688 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 3688 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 3688 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 3688 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 3688 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 3688 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 3688 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 3688 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 3688 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 3688 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 3688 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 3688 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 3688 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 3688 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 3688 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 3688 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 3688 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 3688 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 3688 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 3688 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 3688 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 3688 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 3688 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 3688 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 3688 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 3688 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 3688 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 3688 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 3688 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 3688 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 3688 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 14244 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 14244 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 14244 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 14244 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 14244 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 14244 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 14244 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 14244 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 14244 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 14244 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 14244 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 14244 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 14244 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 14244 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 14244 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 14244 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 14244 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 14244 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 14244 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 14244 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 14244 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 14244 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 14244 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 14244 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 14244 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 14244 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 14244 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 14244 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 14244 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exepid process 14244 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 668 668 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exesteamwebhelper.exedescription pid process Token: SeTakeOwnershipPrivilege 3688 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe Token: SeAuditPrivilege 1016 fxssvc.exe Token: SeRestorePrivilege 3744 TieringEngineService.exe Token: SeManageVolumePrivilege 3744 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 4872 AgentService.exe Token: SeBackupPrivilege 5084 vssvc.exe Token: SeRestorePrivilege 5084 vssvc.exe Token: SeAuditPrivilege 5084 vssvc.exe Token: SeBackupPrivilege 3960 wbengine.exe Token: SeRestorePrivilege 3960 wbengine.exe Token: SeSecurityPrivilege 3960 wbengine.exe Token: 33 1260 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 1260 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1260 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1260 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1260 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1260 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1260 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1260 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1260 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1260 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1260 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1260 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1260 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1260 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1260 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1260 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1260 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1260 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1260 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1260 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1260 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1260 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1260 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1260 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1260 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1260 SearchIndexer.exe Token: SeDebugPrivilege 3688 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe Token: SeDebugPrivilege 3688 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe Token: SeDebugPrivilege 3688 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe Token: SeDebugPrivilege 3688 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe Token: SeDebugPrivilege 3688 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe Token: SeShutdownPrivilege 6832 steamwebhelper.exe Token: SeCreatePagefilePrivilege 6832 steamwebhelper.exe Token: SeShutdownPrivilege 6832 steamwebhelper.exe Token: SeCreatePagefilePrivilege 6832 steamwebhelper.exe Token: SeShutdownPrivilege 6832 steamwebhelper.exe Token: SeCreatePagefilePrivilege 6832 steamwebhelper.exe Token: SeShutdownPrivilege 6832 steamwebhelper.exe Token: SeCreatePagefilePrivilege 6832 steamwebhelper.exe Token: SeShutdownPrivilege 6832 steamwebhelper.exe Token: SeCreatePagefilePrivilege 6832 steamwebhelper.exe Token: SeShutdownPrivilege 6832 steamwebhelper.exe Token: SeCreatePagefilePrivilege 6832 steamwebhelper.exe Token: SeShutdownPrivilege 6832 steamwebhelper.exe Token: SeCreatePagefilePrivilege 6832 steamwebhelper.exe Token: SeShutdownPrivilege 6832 steamwebhelper.exe Token: SeCreatePagefilePrivilege 6832 steamwebhelper.exe Token: SeShutdownPrivilege 6832 steamwebhelper.exe Token: SeCreatePagefilePrivilege 6832 steamwebhelper.exe Token: SeShutdownPrivilege 6832 steamwebhelper.exe Token: SeCreatePagefilePrivilege 6832 steamwebhelper.exe Token: SeShutdownPrivilege 6832 steamwebhelper.exe Token: SeCreatePagefilePrivilege 6832 steamwebhelper.exe -
Suspicious use of FindShellTrayWindow 16 IoCs
Processes:
steamwebhelper.exepid process 6832 steamwebhelper.exe 6832 steamwebhelper.exe 6832 steamwebhelper.exe 6832 steamwebhelper.exe 6832 steamwebhelper.exe 6832 steamwebhelper.exe 6832 steamwebhelper.exe 6832 steamwebhelper.exe 6832 steamwebhelper.exe 6832 steamwebhelper.exe 6832 steamwebhelper.exe 6832 steamwebhelper.exe 6832 steamwebhelper.exe 6832 steamwebhelper.exe 6832 steamwebhelper.exe 6832 steamwebhelper.exe -
Suspicious use of SendNotifyMessage 15 IoCs
Processes:
steamwebhelper.exepid process 6832 steamwebhelper.exe 6832 steamwebhelper.exe 6832 steamwebhelper.exe 6832 steamwebhelper.exe 6832 steamwebhelper.exe 6832 steamwebhelper.exe 6832 steamwebhelper.exe 6832 steamwebhelper.exe 6832 steamwebhelper.exe 6832 steamwebhelper.exe 6832 steamwebhelper.exe 6832 steamwebhelper.exe 6832 steamwebhelper.exe 6832 steamwebhelper.exe 6832 steamwebhelper.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exepid process 14244 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
SearchIndexer.exe2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exesteamwebhelper.exedescription pid process target process PID 1260 wrote to memory of 4656 1260 SearchIndexer.exe SearchProtocolHost.exe PID 1260 wrote to memory of 4656 1260 SearchIndexer.exe SearchProtocolHost.exe PID 1260 wrote to memory of 1632 1260 SearchIndexer.exe SearchFilterHost.exe PID 1260 wrote to memory of 1632 1260 SearchIndexer.exe SearchFilterHost.exe PID 3688 wrote to memory of 14244 3688 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe PID 3688 wrote to memory of 14244 3688 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe PID 3688 wrote to memory of 14244 3688 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe PID 14244 wrote to memory of 6832 14244 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe steamwebhelper.exe PID 14244 wrote to memory of 6832 14244 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe steamwebhelper.exe PID 6832 wrote to memory of 6976 6832 steamwebhelper.exe steamwebhelper.exe PID 6832 wrote to memory of 6976 6832 steamwebhelper.exe steamwebhelper.exe PID 6832 wrote to memory of 7224 6832 steamwebhelper.exe steamwebhelper.exe PID 6832 wrote to memory of 7224 6832 steamwebhelper.exe steamwebhelper.exe PID 6832 wrote to memory of 7224 6832 steamwebhelper.exe steamwebhelper.exe PID 6832 wrote to memory of 7224 6832 steamwebhelper.exe steamwebhelper.exe PID 6832 wrote to memory of 7224 6832 steamwebhelper.exe steamwebhelper.exe PID 6832 wrote to memory of 7224 6832 steamwebhelper.exe steamwebhelper.exe PID 6832 wrote to memory of 7224 6832 steamwebhelper.exe steamwebhelper.exe PID 6832 wrote to memory of 7224 6832 steamwebhelper.exe steamwebhelper.exe PID 6832 wrote to memory of 7224 6832 steamwebhelper.exe steamwebhelper.exe PID 6832 wrote to memory of 7224 6832 steamwebhelper.exe steamwebhelper.exe PID 6832 wrote to memory of 7224 6832 steamwebhelper.exe steamwebhelper.exe PID 6832 wrote to memory of 7224 6832 steamwebhelper.exe steamwebhelper.exe PID 6832 wrote to memory of 7224 6832 steamwebhelper.exe steamwebhelper.exe PID 6832 wrote to memory of 7224 6832 steamwebhelper.exe steamwebhelper.exe PID 6832 wrote to memory of 7224 6832 steamwebhelper.exe steamwebhelper.exe PID 6832 wrote to memory of 7224 6832 steamwebhelper.exe steamwebhelper.exe PID 6832 wrote to memory of 7224 6832 steamwebhelper.exe steamwebhelper.exe PID 6832 wrote to memory of 7224 6832 steamwebhelper.exe steamwebhelper.exe PID 6832 wrote to memory of 7224 6832 steamwebhelper.exe steamwebhelper.exe PID 6832 wrote to memory of 7224 6832 steamwebhelper.exe steamwebhelper.exe PID 6832 wrote to memory of 7224 6832 steamwebhelper.exe steamwebhelper.exe PID 6832 wrote to memory of 7224 6832 steamwebhelper.exe steamwebhelper.exe PID 6832 wrote to memory of 7224 6832 steamwebhelper.exe steamwebhelper.exe PID 6832 wrote to memory of 7224 6832 steamwebhelper.exe steamwebhelper.exe PID 6832 wrote to memory of 7224 6832 steamwebhelper.exe steamwebhelper.exe PID 6832 wrote to memory of 7224 6832 steamwebhelper.exe steamwebhelper.exe PID 6832 wrote to memory of 7224 6832 steamwebhelper.exe steamwebhelper.exe PID 6832 wrote to memory of 7224 6832 steamwebhelper.exe steamwebhelper.exe PID 6832 wrote to memory of 7224 6832 steamwebhelper.exe steamwebhelper.exe PID 6832 wrote to memory of 7224 6832 steamwebhelper.exe steamwebhelper.exe PID 6832 wrote to memory of 7224 6832 steamwebhelper.exe steamwebhelper.exe PID 6832 wrote to memory of 7224 6832 steamwebhelper.exe steamwebhelper.exe PID 6832 wrote to memory of 7224 6832 steamwebhelper.exe steamwebhelper.exe PID 6832 wrote to memory of 7224 6832 steamwebhelper.exe steamwebhelper.exe PID 6832 wrote to memory of 7224 6832 steamwebhelper.exe steamwebhelper.exe PID 6832 wrote to memory of 7224 6832 steamwebhelper.exe steamwebhelper.exe PID 6832 wrote to memory of 7224 6832 steamwebhelper.exe steamwebhelper.exe PID 6832 wrote to memory of 7224 6832 steamwebhelper.exe steamwebhelper.exe PID 6832 wrote to memory of 7224 6832 steamwebhelper.exe steamwebhelper.exe PID 6832 wrote to memory of 7224 6832 steamwebhelper.exe steamwebhelper.exe PID 6832 wrote to memory of 7224 6832 steamwebhelper.exe steamwebhelper.exe PID 6832 wrote to memory of 8068 6832 steamwebhelper.exe steamwebhelper.exe PID 6832 wrote to memory of 8068 6832 steamwebhelper.exe steamwebhelper.exe PID 14244 wrote to memory of 7824 14244 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe gldriverquery64.exe PID 14244 wrote to memory of 7824 14244 2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe gldriverquery64.exe PID 6832 wrote to memory of 7736 6832 steamwebhelper.exe steamwebhelper.exe PID 6832 wrote to memory of 7736 6832 steamwebhelper.exe steamwebhelper.exe PID 6832 wrote to memory of 7736 6832 steamwebhelper.exe steamwebhelper.exe PID 6832 wrote to memory of 7736 6832 steamwebhelper.exe steamwebhelper.exe PID 6832 wrote to memory of 7736 6832 steamwebhelper.exe steamwebhelper.exe PID 6832 wrote to memory of 7736 6832 steamwebhelper.exe steamwebhelper.exe PID 6832 wrote to memory of 7736 6832 steamwebhelper.exe steamwebhelper.exe PID 6832 wrote to memory of 7736 6832 steamwebhelper.exe steamwebhelper.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3688 -
C:\Users\Admin\AppData\Local\Temp\2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exeC:\Users\Admin\AppData\Local\Temp\2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe2⤵
- Loads dropped DLL
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:14244 -
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exeC:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe "-lang=en_US" "-cachedir=C:\Users\Admin\AppData\Local\Steam\htmlcache" "-steampid=14244" "-buildid=1716584667" "-steamid=0" "-logdir=C:\Users\Admin\AppData\Local\Temp\logs" "-uimode=7" "-startcount=0" "-userdatadir=C:\Users\Admin\AppData\Local\Steam\cefdata" "-steamuniverse=Public" "-realm=Global" "-clientui=C:\Users\Admin\AppData\Local\Temp\clientui" "-steampath=C:\Users\Admin\AppData\Local\Temp\2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe" "-launcher=0" --valve-enable-site-isolation --enable-smooth-scrolling --enable-direct-write "--log-file=C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --disable-quick-menu "--disable-features=SpareRendererForSitePerProcess,DcheckIsFatal"3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:6832 -
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exeC:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe --type=crashpad-handler /prefetch:7 --max-uploads=5 --max-db-size=20 --max-db-age=5 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\dumps "--metrics-dir=C:\Users\Admin\AppData\Local\CEF\User Data" --url=https://crash.steampowered.com/submit --annotation=platform=win64 --annotation=product=cefwebhelper --annotation=version=1716584667 --initial-client-data=0x3ac,0x3b0,0x3b4,0x39c,0x3b8,0x7ffe8a46ee38,0x7ffe8a46ee48,0x7ffe8a46ee584⤵
- Executes dropped EXE
- Loads dropped DLL
PID:6976 -
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe"C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --buildid=1716584667 --steamid=0 --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --log-file="C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --mojo-platform-channel-handle=1704 --field-trial-handle=1760,i,15448163332235978232,13809633619316081230,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:7224 -
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe"C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --buildid=1716584667 --steamid=0 --log-file="C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --mojo-platform-channel-handle=2216 --field-trial-handle=1760,i,15448163332235978232,13809633619316081230,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:84⤵
- Executes dropped EXE
- Loads dropped DLL
PID:8068 -
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe"C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --buildid=1716584667 --steamid=0 --log-file="C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --mojo-platform-channel-handle=2528 --field-trial-handle=1760,i,15448163332235978232,13809633619316081230,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:84⤵
- Executes dropped EXE
- Loads dropped DLL
PID:7736 -
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe"C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe" --type=renderer --user-agent-product="Valve Steam Client" --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --buildid=1716584667 --steamid=0 --first-renderer-process --log-file="C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2980 --field-trial-handle=1760,i,15448163332235978232,13809633619316081230,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:14⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:7776 -
C:\Users\Admin\AppData\Local\Temp\bin\gldriverquery64.exe.\bin\gldriverquery64.exe3⤵
- Executes dropped EXE
PID:7824 -
C:\Users\Admin\AppData\Local\Temp\bin\gldriverquery.exe.\bin\gldriverquery.exe3⤵
- Executes dropped EXE
PID:8548 -
C:\Users\Admin\AppData\Local\Temp\bin\vulkandriverquery64.exe.\bin\vulkandriverquery64.exe3⤵
- Executes dropped EXE
PID:8716 -
C:\Users\Admin\AppData\Local\Temp\bin\vulkandriverquery.exe.\bin\vulkandriverquery.exe3⤵
- Executes dropped EXE
PID:8752
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:436
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:4444
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:2808
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1016
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:5028
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4284
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:3628
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3528
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:1604
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:4632
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:3296
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:2148
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4496
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:3476
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1940
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:3828
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:1280
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3744
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4872
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:344
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5084
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3960
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:3180
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:4656 -
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:1632
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x3c8 0x4481⤵PID:7884
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5718d056077b5d13f5523c489ed533c08
SHA108234a57f7996231504c2828cbf25fc9d34d5720
SHA256f917f4488d5aa480ae90edfc27d14e4a9473b65a02182fd82426b6f93a4b0d40
SHA5120f1e8f13ef62562addce34f184169c1aab367018906e0e6a1b9147fdd8e00ec71188c2371663e48d2b96fa3007348e9e6d35205f7b6902f30a61058cfc012d92
-
Filesize
797KB
MD59df103530164bf3ee45fe6d0da26cb52
SHA1b0d3f3328542be6f0a02579cfb9295b20c2fef23
SHA256d19cccbaca6bb2885b9e0c94a1d89162d0672fb91a6af0472d57c2b43217157d
SHA5124d69fb49639613ed9deb326f1e8a0242d40e09f2fc43b0103e69841cb91eb0ba6ce8f03dfc2f81006d729644568f0283fa3e12d04f63ec8ee40605c8da7c6f83
-
Filesize
1.1MB
MD5efb0363957a8fd4d793c65a80d453f6e
SHA11868a45e71fcea21f43566f5120411f628f9f98a
SHA2566d9b178454da8cf8bf69193f3625dc3b342451401c0147165b14c7be34571565
SHA512bc6562c8fed32f16f5edac79f3cc5b061b22314eb3b688f264aed4c9c0fca3cc7581eaaa5b5e8a876282fdfa6939ad2dc96ef27214c9d758f13758f7bdd5f9c2
-
Filesize
1.5MB
MD531bd7cd0f051c05e7a84807035a10476
SHA1697202c35a6f0f134194d640da7d4d7a602ce016
SHA2565f6596f3f050923504e0a26997882ac4f4d2dc84cde391f044a3d82f3cce9e1e
SHA512b92ca50f9a7c4afec504cd1cd6cf0f67d602f9864e061e3c47c2fea993452717dafd98a650babcf24b388573faa177c8aaed3770782d6e1b9c098c2cad0f7706
-
Filesize
1.2MB
MD5857f2ff0044ad9be5853981c783eccf4
SHA1bfbe3f18d7b0d84b7d3c9a1ad40d36c49c90c302
SHA2566c19ea44447c24cab29b47c6411cc29c3560a72d398798818a26e5a28f00409d
SHA5122003b179f88f8a468bb1016468a8f49fbc98861c5293b7e3e29840f6cd16ef1e892e230e8d5738f50edd069e9d7d1e80860aafe56d66805c90c569b8195c0c47
-
Filesize
582KB
MD5d591512fd67ffaf0650fb8b4dcef8b95
SHA1c1a88e35620c01a8d0c05ce5cd4449dbb8ba9420
SHA25669a15060eb9fb75d2224783a58f0270df6a7a8fc3bc473a9d8b20cbca492238e
SHA512c1958b09ca15a3932fa7de1f4d6dce154bb2ee6fb462bbb8b61bdcbdfc09a5d177506a5e23c489e593e8eedf7decdd0289463a199e8d1a308636f715bcbb6e7d
-
Filesize
840KB
MD55998729c6ca6b9cd42b1d7bb723216c7
SHA1b1b4627230315f449eae6a5e76076ba93eb03e6a
SHA25634f10cc9c299570258d36504e380d9f277d37dcaead8e4ae2c9ed4476d240505
SHA5123a967a7cd516ee3d212659823100ad9b43bd20a99c804402f71e4f01241dfb3b06a3e799933828c36989f0c9de31df44cd016803fb258a2e1af33970a1f1a0d2
-
Filesize
4.6MB
MD5ba7cf59fed5fba1ecedca61a13a8e85a
SHA10987a603d522d61eb50f5fbe6cbf1b5f3998bdba
SHA256b0b71866b4e17e58be4101fe1166b519c931ba515cef745d81e65368e8f2e419
SHA512cdce780bfea0f5cf20c98fcf7d738b603adc87054bb562f3e9ed386fbee4a2cbc523a1050aa2f22605162847d274a0cbfe18687db8e36710385739a3e28402e1
-
Filesize
910KB
MD5408d00f379d50046a43bd1b7be9fa02f
SHA10e7ab60f426b0cc8cfa77932c2f382650fc8cd86
SHA25614ca6a896eb0a8d2e310899d9b9737e2be111d4b252490420924e151faaaf088
SHA512982e3206f1d4d41db4c96ebb3cd32631bfc3575a03444467191d60e2a79964b9f590fabdaeae22b0347f19d98ee8011230a8bc0414ece5ddd26706ded576ed0f
-
Filesize
24.0MB
MD51836409500629c08e958dc3ad40ec300
SHA11552ffd9e779552d60591c6f0874c9692eb37409
SHA256460d0d3dcef45b54431ead8367bf07a12e303293f1802d57ae3eb661c9900899
SHA5125c4016032cfc5921ee681d59cea0b739c8f668437c3b46771399b154bc33ed46152e75a7c5cb16274bae1b0151adb5859d682a12f2ef5c3b894d4bdd6708132c
-
Filesize
2.7MB
MD58c9e85da6417ed1fc6deacebb2e3eb75
SHA114084131d6a1ee5ce5d0d7f9bc3006c973d06ee8
SHA2560b480034080729fb7bff5281f101be59c0ac11f16ce1d762f795684e3ff83c14
SHA512dc4cd64c2c5c101c267d05195207b83bd9cb801d6137c01cd3f4cebad4c8979820da0c6ab2eb748c2de0d82c7a84232dc927f923a8200121a64ecd0ba30c607c
-
Filesize
1.1MB
MD595039c544f3474b299b9aeb1cee55a18
SHA164ee34960b6efa7eaf72dfd74f3d65182fd59715
SHA25664406a7689dce92bc7e6a9a3988118a0f77128f2c46402adaaefd7654c745486
SHA5123921b0248851b49cc20844b8f9b861b1e9000c0c13c63ca12f36ff2777d23a763744229ffbdf05fe8a4eae8fbefc242fafb7ea17092aca303dd0c08d9f93aa35
-
Filesize
805KB
MD5f11e2405e3d785ad823acff08aa53a80
SHA149c5fce5e46df2c05fa223aee647d62e6a6e8f96
SHA25607f5ed677703bdc67d34f43e22e3a15d3aa3eb7850534b6241718a27de9a3ff0
SHA5125ba2f8ece7e78d084684c0c69b7b3e4c092351579a51d755f520cd008628672b59912db8378154f36b22eb6e445623b21c0020185a3dc364564b2cf49b3305b3
-
Filesize
656KB
MD58af433d5a24564c13dbcfc3b017d224d
SHA1208088d625b166c342d30b99d2ed0f8e51ecfabc
SHA256c8ceb3948685d6879d81439e0fc460e6280919dd01401515c4f0858f0bc74fc0
SHA5125ca12146e5eeb075667e101f24de3e177f389a2b48185481981ddda60d62800b30c8ed0b4ecd7d927629d4fa1a6e7e20d05ce1be916aa3994061443ebf9bab39
-
Filesize
2.0MB
MD5ab8a8a2e5f976c5ab34cba583ac36356
SHA11f8875734015e0ab64ee26efc6f8c40b5716d0f0
SHA25636d600a651f8776d570d2ec7c0d0aeecc1774da6f656e54841a915f2d2d0e3d8
SHA5122f754b9784586edd2ad981736710696c038ce247468ccfea7226ea4fced63d6bfe63a79bb92d14424d11fd43a738a3045f46a2973847a712122523693d0df9dc
-
Filesize
2.2MB
MD53eb84cf4c1c1fa434cf4155e33181ded
SHA133413b0545820caa8d1ba638423db438b03c6e07
SHA256dbf4b991227739c888dc73ba57d35c0205b82f9134d191d4c8e9e6b141bc3b3a
SHA5126987f35a7906f3259e7fbdd2d574e8d2c89f1beced26093d682c4681fc327f4333791a99750731fb322d81cfcb5dba3aa34a8d43198da73a269efb033cbeb814
-
Filesize
1.5MB
MD58da553ef7f4ecf8692bec03655310b17
SHA1cd5ed68e83ec8daa2abe606aa1c6327c690a0d9d
SHA256e988878977350c62c89b960dbbedfc860bf2c7c4ab48a95e117a541af82a84dd
SHA51237a6c0a80ff7b14f5e48c22425c861272f5df51dd214e6b649730e5175e41c4b9b913e5eb899c2ae4ad3bea9f0e9ad576d9137a57c54ce2a6fb9243410432e72
-
Filesize
701KB
MD5e0b642329e8162016418ac4f621159f3
SHA17a79926e60a9d7eca992ef1523bf4c87b3e179e3
SHA25607ea4f5f818dded46339c2e9ec450aa1a43149034ab478dbefd24d18989212d2
SHA51280156ad7dfce36f80da392856b1749b88b34f513e593ccfa562ec148d92a7d9ff165a4fd2decd42920b41b428d3e84cadaae0cb4780c16d026f31302417ce962
-
Filesize
216B
MD5e826d9e0468f19f2691d94dba32246e0
SHA146d74659a655d3241b6bc2ef42a778bc42f60091
SHA2568dd898b52487a612ff0c753789e2d2039aba2f5fcd7b01d7afd13f57603faaef
SHA512d31ebcf0bd0ea6a3ee41565828ae72affbfa6c9fcc50f3e19ae2ddacfb3e770c9c972a5abc70c16e92f1b747001bbe268e409615a28068cea5ad975c7786dfa2
-
Filesize
48B
MD55de732b8c96404d45c2d04e10eeb5cec
SHA164fb3d432a306a364ec3bbe6d8b834c1b14d510c
SHA25691952841965f1391bd91daf93623465a9b4801c9420529150d5a300154db3157
SHA512af5bf0603556a38a311412da60a76bd7973a44376597d8b4d6770d08f9c0b97e15fa299eb5801577a159fde9a9f8ddd4445a35bbc7951a5fe8c01fadebedbe48
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
693B
MD58971c39ec098db262ac752d3ae5ce44e
SHA120b476a37e5a85b6539ae88ec75042a19f10d6db
SHA2563ce1938a192873b3cc39ae004a9b090468b697e977cbae524d43bdca57945672
SHA512e2ea62dd42e4638f01e6f67840690e292a89b0f6381462a6686d4d93f2fe07393aa433a8de860f8381d3a441b95cf04ea84c570e9c5ccd2f87ea0f51237be3fb
-
Filesize
484B
MD5f1b5adc9c264a0dd2a8d7180a767f8cf
SHA10fa5c8c88d35a73edb267b76034710cf46c629bc
SHA256718454c8d95c17e08878e44f055749ee72a9376c6e7e73387f6ce1d0863db84f
SHA51202d4fc20a0bada58dc4c793c9f27b895f2341b054c27ad4cdf8a68b2f090f314b7e2cad5e2f44ffdf84bc20142565be5ef01bd24c2cffb52c851fe7b02bbee6a
-
Filesize
300B
MD5540458c0bad774d09682015f06aa5623
SHA14a260dcbfd1405c1d29b49301f8f5177a2e14f02
SHA256f7d398f6ec44f415fd56af725f541adee90d3786e8b99c04b1e9e4fe0557bc18
SHA51251117ec4987ee357c95df470d94cf5111ccc7566afdff74db9192f24ec3c1e1c587fdc5cc6c6e26bf74b2242fe55a0cc37214cf1345b28cb893a2695d59059e4
-
Filesize
59B
MD52800881c775077e1c4b6e06bf4676de4
SHA12873631068c8b3b9495638c865915be822442c8b
SHA256226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974
SHA512e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b
-
Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
7.1MB
MD5d764264518e77cc546a5876c3bcebad4
SHA1ea17d45b396fa193a851bfd345e2b2c20ad60e12
SHA256e78492de0ab575add50b925bfd44216d224d09904a9b14c17087a92fdcbc15cd
SHA5127cf132ea5254a55c08186ffcf5e47360ef5ddd57d03d7051171f6753b22e3925304d183c2037bfd320ad56c08e079f9b2c4640db8cb3dbd38ff500c7a39e997f
-
Filesize
226KB
MD5a09c5fa842fa4456a0b53b46f1050225
SHA19e4677f19e77bf55e7d0e2e82d8c27f79dbbd78e
SHA2563d7ba6fedfdfd6e751693d718a21438304690b754d1c5d13c847a829b2423b8b
SHA51271c962da6ed6894209891513bf9f0132a5eab6c65a5d9ba334efcaf73463be5625665a060863a106d59fad1949f6191f641aa4c59ddb0e825701bef08ef9b5a5
-
Filesize
175KB
MD5cbc43e3928d5fd556456f8f9ef285063
SHA133c043f63171ddbbe58a5031961cb5040d1a245b
SHA256ae99258ab7694026147b259367ef82d8ac2b118f87c02c7a41f81b82d1f7a9d7
SHA5120d13bebbd71e48a1dffa34ad68e2a76746b3d745529842aba594b5de4d1a621f8759a2968cd61d8dfe9780a9ff23e808b6c90d63957e6ac2f95bf1ae0bf4b3a6
-
Filesize
23KB
MD59c2202f9ebd8d2e8c90c93d3b0f433e1
SHA13d20c8f8428df16372e7de91a6d4f94b80aefb4c
SHA256894842053591d4818bac9e1e476601cf39e4191b4bd0748ccb9f3c2711caa946
SHA512b274b3f3dafd290f72351b36b9937445e78b6a16eb6cfa9a0b6de3cf11d5d809cd5f4095c2c4a05c16bdd1fb1be0b883e4c387ae8f7693eab958a63ce408097e
-
Filesize
23KB
MD50b2450ac7066b1aa6970cd4763bed6a8
SHA19cdc98d8a852c5e66c42e83edec21a1a2ab1d347
SHA2569e9ee99c5fbe9a2a784d324b4bff06842874dbc33320c1fb02f063060d2d5c7b
SHA512a1e0b0dee99c5d4ee03f15fa69436f41c965438b289eb244c8bbdec2de4b439e8ea60417ca6a37064b0aff023fbae5debb732e5e69027ca86623514520d6dffd
-
Filesize
23KB
MD5880c1094ab4679600f77012712fcfdcc
SHA1d92636752ceed77e4eb37967306de746953e375a
SHA25665e57b5316eee1433c006adc6487c3ad3e17412b1a6d5a35ba518aaefd871bbf
SHA512de8a622fd97bcd0a429c7a0874fc6dbeacb966e406dc519448ddfb420f584686a7a5ef105b4ac45a3a8de3bf0b7ed5b79ed62a92ebfceea3bceccce7298af652
-
Filesize
23KB
MD5df9bc6c6936655ed05180de600916f3c
SHA1abfd6dc420368aaee7d3ce11cca36af3cb4446f6
SHA256b34fda7a50b20aaae509d0919ced53d718afb997a2bd9f3b97446c3cebf994d6
SHA512b6d935a6046a573df8c0a7bafd57c35f333f74fbe754e18de13cdf9a39fd9649449030539b208046651d648eca20e4b5d0e73a8a7d173d6ea37bbfc311b0d6df
-
Filesize
23KB
MD5a78aabc0f9a9dc5b9923d2ff67d24f23
SHA13a0330b84c7ca674f0710c10eee1e5126d545429
SHA25639e98dd2cfd15b1687f3a8f8690a80026af0deaba5142c0fe503bbebca46d4c1
SHA5123efd9fd95ef6aa16172c3d89150d49611c21deaa13fd50c2114e76380de573255ec6bdcfe10665bbe15a17c1d05ba327ca7ea24949ad1a173b3db86bab24adcf
-
Filesize
23KB
MD572dbf67f86c95cdef31eaaef5861a00f
SHA118134f00734a2255bdf9bbc777045ac2d4f2e2f3
SHA2565c74808c61ca8b6acb8f74813fb116341b18c27e4a654bbdd383b9fee3f33d36
SHA512e0bbcdfb658ffa70b047cfd84a0e8a5613530ed0a34cc9ac365f69e253894db4b6fd059ce02627c201c1e9efe0b98aaddb70a641ce297677d3f9162838fdd1f3
-
Filesize
27KB
MD5ee9e1e1af17a74d23438fb63f6b66395
SHA111f60e073257560f5f3dc8943e854bf2eac36ed2
SHA2568587505e511503127abb7e5c614853b7848a489d96da0a95bc736dc6c3097a5e
SHA512aca34604580214291d1ea62765ecb280c6eafad7bf8967af8c268d2daff84f783dafec8ed334ac051ad61a14fc3128dc3f396116b9c6413a288fbe7bb099a202
-
Filesize
23KB
MD5a5707e6342e22d92ef8df839783d1716
SHA1642c499b65382d883f6f9381fa204ba8d08f1f10
SHA256fbf7e43884a1fd8adf167a5cfa4319339e2dba84515ec4487e074decc9afb206
SHA51233a5255fe6b46d228cc131d27479d272342e88f12d884b841751167000e2c6a9c08a996526580a8466e957f4696d2400baf5d2cc2b3e5f8ea23ae3803d684285
-
Filesize
23KB
MD5a2317c5ce4c82910c7f4e97d48af645a
SHA167f5034a905cd1ef0c2888fd2cc40c2024d0848c
SHA256363c1cc60b8cf09f026ffe4d6dabee37021f37d5719fa55ab807d56613e30b90
SHA51235be28f55fcde4ad140fa089ee86aaeff3e90f174737474dfd502925313225db393a3e27eda0b44d9bee831ead48a24e803c35884842cee2946d558650b6f8f5
-
Filesize
361KB
MD59667216fc56106299cfe0474afdeaf39
SHA138b0768abfcd617bd8db59431a9525d789c84f83
SHA256b056457b66dea391772a655ba03871180160314df68768f43b21c3cedf9d19ed
SHA512a3c02500299e433ada5de7cc12bb05ee6b947ce363d355bb074a5525c68ccf0ccf46b5732262bb56e88f4dc2a0e32d4d577858c48a742a63745be8c3f018bba1
-
Filesize
13KB
MD53286b091e48bda782618cffa3b012ac7
SHA148a20a4062acb7961fb22e76e52081b36bbe61aa
SHA256d1fac24e9be588bd765263c4699710d15f3516b207d7828e270968d3268ccc33
SHA512853b292b629f57c894db7c1d482af374cb25262d606ec2c59f7e931362e20870ed432aecce23b0b3b444a459a1a585046752450be6e13499cdef2b11230aae1a
-
Filesize
3KB
MD5b5fb6a1a9bffc9d7bd0d16cb41bcd328
SHA1e9ddfdd047a3090a9ea52e873ebf0e7607f6a2f3
SHA256de844519aeb812eb5e1178b9837abf236de57d88668d792b2fb29f411bbd2cad
SHA5126d0e4197a8e5eebe5cdf559dc0da3bb836359ca34b72de043ef2093a925c9926a241bf677208501eb3d228c0b77e4584e6c19b59136d58598f3ae5c7d878da91
-
Filesize
464KB
MD510f9e89e442f565957d2af08b2b74047
SHA18132cd3763cd9200bb0fb7600cded8d60d6cd9a5
SHA2563ffcd73d5e6761b05be12dbbb07d3baf64f2680f2931d4acea288bb4d48e803e
SHA512e69a5f1fd04ff966179b185d4e4c82bf223aed29b0a67044509e33b2d4745d677bb7697e47b419205478fbef9a6903d50469d7ad41c302b4cfa9506180a8d50f
-
Filesize
9KB
MD593e69eae544858aa33c9c1f6d48c4a8b
SHA1f8b18435ceaad470bd809f02ac2934a5926e6adf
SHA2567c569ccef088133b444f049ae07a8b9e6bdb78ef1b00ccfc6eacbf7b23619b3c
SHA512cc4256ea641a41c31bce7ff19d4a5dc50a3a123cd039dba85b70549dcfdd9798024a258dab1be734165a89fcd24792d623f064ed4a639567f68b57b864d2be8b
-
C:\Users\Admin\AppData\Local\Temp\package\tmp\graphics\[email protected]_
Filesize15KB
MD5577b7286c7b05cecde9bea0a0d39740e
SHA1144d97afe83738177a2dbe43994f14ec11e44b53
SHA256983aa3928f15f5154266be7063a75e1fce87238bbe81a910219dea01d5376824
SHA5128cd55264a6e973bb6683c6f376672b74a263b48b087240df8296735fd7ae6274ee688fdb16d7febad14288a866ea47e78b114c357a9b03471b1e72df053ebcb0
-
Filesize
20KB
MD500bf35778a90f9dfa68ce0d1a032d9b5
SHA1de6a3d102de9a186e1585be14b49390dcb9605d6
SHA256cab3a68b64d8bf22c44080f12d7eab5b281102a8761f804224074ab1f6130fe2
SHA512342c9732ef4185dee691c9c8657a56f577f9c90fc43a4330bdc173536750cee1c40af4adac4f47ac5aca6b80ab347ebe2d31d38ea540245b38ab72ee8718a041
-
Filesize
23B
MD5836dd6b25a8902af48cd52738b675e4b
SHA1449347c06a872bedf311046bca8d316bfba3830b
SHA2566feb83ca306745d634903cf09274b7baf0ac38e43c6b3fab1a608be344c3ef64
SHA5126ab1e4a7fa9da6d33cee104344ba2ccb3e85cd2d013ba3e4c6790fd7fd482c85f5f76e9ae38c5190cdbbe246a48dae775501f7414bec4f6682a05685994e6b80
-
Filesize
4KB
MD5da6cd2483ad8a21e8356e63d036df55b
SHA10e808a400facec559e6fbab960a7bdfaab4c6b04
SHA256ebececd3f691ac20e5b73e5c81861a01531203df3cf2baa9e1b6d004733a42a6
SHA51206145861eb4803c9813a88cd715769a4baa0bab0e87b28f59aa242d4369817789f4c85114e8d0ceb502e080ec3ec03400385924ec7537e7b04f724ba7f17b925
-
Filesize
12KB
MD5c5573b722849a26993a7753479f88632
SHA1f30f0e6721acc51e09c3b5cf1033ca071364abd5
SHA256baa95466e0095bd5cf385544eb736bb22d04f72f3fec00fd0315cc4731c355a3
SHA512ef30c0df421342180f751a3903d574f484cc623f259c2c564d7f53ecc8fc8d70aeb7c9b985a6e8de29d8b472c675cb3e538fd185f34b27d0b2c19b05e07422f9
-
Filesize
588KB
MD58c2e80e98c50a7b308f45417e6cf6e3e
SHA1f5a504d8d3d06baacaeea23cd1e8d07064a80809
SHA25637a78b1e6528be72b84ac0a45ca982f95eb0bcc32b9c140fa4423f04a53928c3
SHA5125d9a76b71d23014df9c6e24e7df6746395e219bb533d360ec3269d60eed7642119651d33bd343995f17cecfbac2344c084027261d6bcf5643e64421b05d781c1
-
Filesize
1.7MB
MD5e1aaa20ddab1d17c029e292ac2e51d0a
SHA1589ff498c53011d36ef2c87f2bdd1d6a376d4a8b
SHA256775b1a1c9c21e9c473013db30b7dd593993fd283e8f4386f42cce317e2b10518
SHA512a24acefce66ea58f5bd3d10a39012f102f68236e6e67743ad5cb9c8ba86d3f77fffcbf189403c28351f178836e08147e8aabdf0e7a68cb635804fb2c7b5b17c8
-
Filesize
659KB
MD5f7789fb329b9b9f15dba8b8dbb34482d
SHA10caa9d05ec3c8c26376f08739cb712f1d46722dd
SHA2561884029044ecddd5ae47c4b24f67859749a9d94ba4bc8ebde40ba6edd87e598f
SHA5122cc8b8b54e8814436425dc01685aa3f76b3380951f4cc8270121ac55e6ea8a983ed95213b891f2cdb6f473d51ec846ee3637bf663b5f204e802c14582a91c1ef
-
Filesize
1.2MB
MD518f3763b70e11222263ccbf2a079ff32
SHA1ae742eda2b4b01d82f1abb4885a785e9ea4bd917
SHA256d7978bcff4bcdadc809fdabc0baa5bf9055acddbb344e6da369ddd9b7819c17a
SHA5120ab26a3d8181a2be192e25dfafcd4d58c2a889b357119bf12ce93a967a6a8a7998b4bdb0c631d9ddad1dd0bdddd04a830579f110d618f4b543b691aba230ee69
-
Filesize
578KB
MD52d5e713ef80f28a4c48bf7baba63dc5e
SHA1eedd36025a86a9f1ee06dc51c19a97030f88794d
SHA256b5e3a8336f7fd483789c2959399d1ef77aaf44a3e0f44bd68fe0f209e75908cf
SHA5123d9f04c58bdf5ae811dcaf2791a5e8e94ebd314bdb5de1fa9be80243a66cd23ebd91575c67214d0340548db8f092008e073fdb324d0ddc769dd944a7e4d9499b
-
Filesize
940KB
MD5eb51858b6f660d25d37aa09f8524e8af
SHA12e172383d2bbdad613ebc8b7531fb2d0dd8c2eea
SHA2569647a6c81b647471f76e950276c190e76461a2eb0a8ace167b601db0ac3901c1
SHA512752216dc84c062ef1e5915caad8560bd144dc639531ea71cde1478c0b319df3ab63e7ee621a4f4112cce6c0cf0b243b8c21becf8faaf96f3ee0ab06916580a9c
-
Filesize
671KB
MD5a731369edeb1cc6aad63cd9935821629
SHA1915f988571aae0f0ea58da6765863a580d13a760
SHA256af2d8b9324f2d3b7a30c9125e990b5ac653c0254acfae47f810cd6ae0b9947fe
SHA512f4b2a5029e0018594f1570c9736d269f7674bd2ab79fa371bed9de4d28b5856983b3e09ca4f6ffa520a8de19045c05e254c3791b2da3364339b5be833258112a
-
Filesize
1.4MB
MD52cca94d6f2d0c5813f75b4892357d376
SHA1d29684bbca9b406f2c016c02c8b064e58644a772
SHA256666b2bf2dc295dbf1f23c168b4483146ec951b82cb0a75603c22716613ef9cd0
SHA51228d1498fba036821f38e942f9fc4d5ad9eb90e4db9c97286572f6862c9aa07a91839d9274436ea8497c41c46fa7587030f7de6f91e963c85f95f45059d13e5e0
-
Filesize
1.8MB
MD5a459af34501f7a4f020ce11db34291d9
SHA137a9b3880e5bc5e22f601f0f0a6e925381e2c1fc
SHA256f65969426b6bebf3c95a204ac290c8011e8d21749dc718f23b0f540852b54100
SHA512a39746b5daffdafc21a514be7138a590f1128be58c38a275ff36b3a88728ae5501299a9bd6a1923999ecb83e1f354cd8346e5c38d6e390b03a79a7bdb9b37606
-
Filesize
1.4MB
MD5ee3b5429987e8b53db1e93d329559ed9
SHA171012aaffd2ba80e349af5e484b3ed403400984c
SHA256d2ab987c68aff320afa0f18dbd1683abcfd9cd5491605fec6ababaef4db821dd
SHA51215c8ae7fe8f5b70929ec9aadf8e4abea113822eea3d2510e12c43325d2ea1ec2f1912e7d70a4e445a77cf51ca9cd0b3ac94f4c6c6131d10d41e3e7c23e94ac5a
-
Filesize
885KB
MD57373e5bbfadf7ad3db53d1735d825e65
SHA14ba589a66f253bcc239007df441cb119b9d8a6bd
SHA25684f210f190c159beda119e92b4662d86a32412cb63d4ba93017aef84389a032b
SHA51211abb3491bd909e8b08081576191cfe097549d05ea78497eff2dfe261a245d39ba81272a0c8079b0ee9661defdd98ee5e138b3a32db5cc73697a547cc94f0ed9
-
Filesize
2.0MB
MD5af43bf962e1fb6b05c17fe47fa3971be
SHA170a8d60b005c226a5461e4c0923e657b7b16a669
SHA2564471e709d2958a52d8564d9dd3af61085a3637aae19e8735bc50d62b12912451
SHA5123a8bc8958e2b1d8acc4c19c94cfd60a27d2844481b3af34e048ce9c9a4283f0bb4f459ca2bae653504638ce24d3e83209b092d3b30d39ba73b007b27fdb48a0b
-
Filesize
661KB
MD5cfb4f102db0c1d9dde757a77d295369e
SHA19f5eaf5b76cce660c5d1163b7fd7740156d2742a
SHA2568a3c0d9e79ce334c73f6f61d0d978f11d42c593ef30fd9030a5214f8d255e745
SHA512881712dab4098fceed15a29a4c5ce32856ef9e6e8b266064291dac1a87a2a09dae613b65ff1ad22529d6d3b3a4a05dbe74b2e760e475562ce138b3c1036807fb
-
Filesize
712KB
MD5ad40bd07051c42f88b3f51bec0182bdf
SHA1b0a5307e73d9528aad161a92f0ea5932de187b85
SHA256fc60cf465fe6ba17ae9c4a563f00cc443bcbe65ce55c6dee5075c2d9ef88fb4f
SHA5120d136b1a8ac89f6b052cbacb1d690e3c6a2792627f2662bc598eb1d5852ef27631d7f92e27de5e2f84589d859b1d47bdf6184afce6c795ae8a5e9ad4a86f79fe
-
Filesize
584KB
MD54a276aeeb9032038f355925ae1ac7f4a
SHA184e30e8106bd25611f9c9ef4a5a15cbd1e58f08f
SHA256eb1b9a245d803da0bdce21ba807b03a4eda35aece7ec9a21b9ce4473e6a12ee8
SHA51259d8becaccc414001e5ea9ed66596ae7ea82401a730887a8ef618b39aa36cf1e0e28749f5c085539a6c69cb3476c09cab597280f5cb4592c4e4fba4e5ad6dd8e
-
Filesize
1.3MB
MD5b88b9413ac48565ac2b6a91afab75934
SHA1e54821123867f5cf132b6b5c1d4dfe216377805a
SHA256a4d518f2ce9dbbb969572e72ece6309b7858c02b1559016012dad372ede01b6c
SHA5126bce5bf30c0f3a20641469fd9feff31cfe3182cefca8039d9a5d937e547a513b581d9f18512674cae4d9960ebfcfe8fa461026d23a87ff95fc487bbfc4301b69
-
Filesize
772KB
MD510f0a5d8b4161119883d6be0d5ac61e9
SHA1572854f57f201d210542362483d1db4ad9ab63a0
SHA25661d52d7e5a390a6b555c276093b8004b5e421d92b4af8d0223575fe904067d25
SHA512d07d0a64c5d9e6c19db0ee2181bab005cb2eb646a638d1be182f3bd11a37e254fc7d47f3c55b25a6eef0038e80061115029a400607303d4938eb2574ed2cb9b9
-
Filesize
2.1MB
MD512c4ef74aa9782a644164b305ea9cad0
SHA1a52d6b539b1654b0b6149333b337e7422edb1371
SHA256e0ff4fc88743fa4294792e5ab8aa29a9d50d2380d404342ac0965c0a479129b5
SHA512e0f63df9f07208b5c1c7f847a122d76483b87c144871559754fa6edb8c8406fdee7dfa00b5c4a18653e7e2083d958b4b0f02e32eefdb3e6785a23722117395c0
-
Filesize
1.3MB
MD581d4ca1ab4bf37029b9e1a735cd3ee63
SHA1337a176a28b39eb98b146a1ed37434b15afc0fbe
SHA2567b370b227b5d52ecf62c9dd566f010fc97c1f1e7b53b80817731b0e886bc105e
SHA51253a60b24e46ba0db8823a4d66a6b92ece786a6c26e0a408b9471c9e15c970e047293388fa1ebb927287c2392da63aac48c7ff22d9e85b1164cf5a33ad446a27d
-
Filesize
877KB
MD59f83ce2cc27181711534960990737292
SHA19f93ddbed38b36eb887bdf8083d2fb0d6dd7838f
SHA256783e08f3cec167b049ad2bc5547b0ad37d3fbabebe9263053e9cf10f0004dd07
SHA5123a8b9ccc67c9848d85dd73e0aa3b7f6739c6ab69ca54b1e86fa168930dfed52c2ddeb63135d0099d94eb17fbffa6728f67f4c934515850900231950c0af1ceba
-
Filesize
635KB
MD5d631c86241764b66e2518f17892545f3
SHA17affd2b257bbf56d3b393198f0d4e668e5420784
SHA2561c10a3f92d3eabc1f3990022a864744281433a6afa92bfa365535d59a5aaf1ef
SHA51271ce5e019e8353465b180c682bb8bba233d9cf63370697bbbc246468d030e649ccdb10cf01f881576f73bbb6dbc76d35ec0cbceaa9bf2282b08f2a93003ae917