Analysis
-
max time kernel
148s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
08/06/2024, 09:08
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe
Resource
win7-20240221-en
General
-
Target
2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe
-
Size
24.3MB
-
MD5
97480e9c56a6dd102b546ec45740e324
-
SHA1
025e8eefedfa4f9d978c128126b66af0639f0de8
-
SHA256
46f56d7a89834c832ca861571f82f69bb1ed437b5e6621f1d51ad07212524f25
-
SHA512
39d8ae29876e4021f37c61f272325f03e0ee5c2d3b80a066d8ced8587569d810b5d2ef2da889030ffec11cdf2f1b36d2d5fea54c920066b56b42bb85f9e5b58e
-
SSDEEP
196608:jP0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1Op3H2SAmGcWqnlv018d:jPboGX8a/jWWu3cI2D/cWcls1
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 468 Process not Found 2724 alg.exe 2772 aspnet_state.exe 2476 mscorsvw.exe 1208 mscorsvw.exe 1608 mscorsvw.exe 1812 mscorsvw.exe 1104 dllhost.exe 2960 ehRecvr.exe 2164 ehsched.exe 1656 elevation_service.exe 1852 IEEtwCollector.exe 2328 GROOVE.EXE 868 maintenanceservice.exe 1576 msdtc.exe 2448 mscorsvw.exe 2844 msiexec.exe 3044 OSE.EXE 680 OSPPSVC.EXE 1268 perfhost.exe 372 locator.exe 2632 mscorsvw.exe 772 snmptrap.exe 836 vds.exe 868 mscorsvw.exe 2400 vssvc.exe 2220 wbengine.exe 2876 WmiApSrv.exe 2888 wmpnetwk.exe 2508 mscorsvw.exe 2596 SearchIndexer.exe 1040 mscorsvw.exe 1528 mscorsvw.exe 1508 mscorsvw.exe 2856 mscorsvw.exe 1400 mscorsvw.exe 2784 mscorsvw.exe 2000 mscorsvw.exe 112 mscorsvw.exe 2128 mscorsvw.exe 572 mscorsvw.exe 1668 mscorsvw.exe 860 mscorsvw.exe 1772 mscorsvw.exe 2496 mscorsvw.exe 112 mscorsvw.exe 1528 mscorsvw.exe 1572 mscorsvw.exe 2000 mscorsvw.exe 2036 mscorsvw.exe 2516 mscorsvw.exe 2060 mscorsvw.exe 1240 mscorsvw.exe 2476 mscorsvw.exe 616 mscorsvw.exe 1032 mscorsvw.exe 2804 mscorsvw.exe 2144 mscorsvw.exe 876 mscorsvw.exe 2528 mscorsvw.exe 2372 mscorsvw.exe 2720 mscorsvw.exe 2960 mscorsvw.exe 2512 mscorsvw.exe -
Loads dropped DLL 51 IoCs
pid Process 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 2844 msiexec.exe 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 732 Process not Found 2804 mscorsvw.exe 2804 mscorsvw.exe 876 mscorsvw.exe 876 mscorsvw.exe 2372 mscorsvw.exe 2372 mscorsvw.exe 2960 mscorsvw.exe 2960 mscorsvw.exe 2976 mscorsvw.exe 2976 mscorsvw.exe 1716 mscorsvw.exe 1716 mscorsvw.exe 2464 mscorsvw.exe 2464 mscorsvw.exe 948 mscorsvw.exe 948 mscorsvw.exe 2816 mscorsvw.exe 2816 mscorsvw.exe 1772 mscorsvw.exe 1772 mscorsvw.exe 2980 mscorsvw.exe 2980 mscorsvw.exe 1196 mscorsvw.exe 1196 mscorsvw.exe 1592 mscorsvw.exe 1592 mscorsvw.exe 112 mscorsvw.exe 112 mscorsvw.exe 1156 mscorsvw.exe 1156 mscorsvw.exe 1344 mscorsvw.exe 1344 mscorsvw.exe 1508 mscorsvw.exe 1508 mscorsvw.exe 1776 mscorsvw.exe 1776 mscorsvw.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 20 IoCs
description ioc Process File opened for modification C:\Windows\system32\wbengine.exe 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\IEEtwCollector.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\d38dfde1ae4ef42b.bin alg.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\System32\alg.exe 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat GROOVE.EXE File opened for modification C:\Windows\System32\vds.exe 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\IEEtwCollector.exe 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\locator.exe 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat SearchProtocolHost.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\klist.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe File opened for modification C:\Program Files\7-Zip\7z.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jre7\bin\policytool.exe 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jre7\bin\keytool.exe 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{D9005A2B-BC2A-4153-8911-AE3B3F543790}\chrome_installer.exe 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jre7\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files\Java\jre7\bin\servertool.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe File opened for modification C:\Program Files\DVD Maker\DVDMaker.exe 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe alg.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log maintenanceservice.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP642F.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9453.tmp\stdole.dll mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index133.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP91A5.tmp\ehiVidCtl.dll mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\ehome\ehsched.exe alg.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP698C.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP6BAE.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP5255.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP76B6.tmp\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll mscorsvw.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs mscorsvw.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs mscorsvw.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{45670FA8-ED97-4F44-BC93-305082590BFB} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c0cb968783b9da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10305 = "Hearts is a trick-based card game in which the goal is to get rid of cards while avoiding points. The player with the lowest number of points wins." SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates mscorsvw.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-117 = "Maid with the Flaxen Hair" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SNTSearch.dll,-505 = "Sticky Notes" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\ShapeCollector.exe,-298 = "Personalize Handwriting Recognition" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs mscorsvw.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SnippingTool.exe,-15051 = "Snipping Tool" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs mscorsvw.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e084298583b9da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-107 = "Lighthouse" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed mscorsvw.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\Software wmpnetwk.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\windows journal\journal.exe,-62005 = "Tablet PC" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\iscsicpl.dll,-5001 = "iSCSI Initiator" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit ehRecvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs mscorsvw.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\xpsrchvw.exe,-106 = "XPS Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople mscorsvw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates mscorsvw.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
pid Process 1676 ehRec.exe 1308 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe 1308 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe 1308 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe 1308 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe 1308 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe 1308 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe 1308 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe 1308 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe 1308 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe 1308 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe 1308 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe 1308 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe 1308 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe 1308 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe 1308 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe 1308 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe 1308 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe 1308 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe 1308 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe 1308 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe 1308 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe 1308 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe 1308 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe 1308 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe 1308 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 1308 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe Token: SeShutdownPrivilege 1608 mscorsvw.exe Token: SeShutdownPrivilege 1812 mscorsvw.exe Token: 33 2024 EhTray.exe Token: SeIncBasePriorityPrivilege 2024 EhTray.exe Token: SeShutdownPrivilege 1608 mscorsvw.exe Token: SeShutdownPrivilege 1812 mscorsvw.exe Token: SeShutdownPrivilege 1608 mscorsvw.exe Token: SeShutdownPrivilege 1608 mscorsvw.exe Token: SeShutdownPrivilege 1812 mscorsvw.exe Token: SeShutdownPrivilege 1812 mscorsvw.exe Token: SeDebugPrivilege 1676 ehRec.exe Token: SeRestorePrivilege 2844 msiexec.exe Token: SeTakeOwnershipPrivilege 2844 msiexec.exe Token: SeSecurityPrivilege 2844 msiexec.exe Token: 33 2024 EhTray.exe Token: SeIncBasePriorityPrivilege 2024 EhTray.exe Token: SeBackupPrivilege 2400 vssvc.exe Token: SeRestorePrivilege 2400 vssvc.exe Token: SeAuditPrivilege 2400 vssvc.exe Token: SeBackupPrivilege 2220 wbengine.exe Token: SeRestorePrivilege 2220 wbengine.exe Token: SeSecurityPrivilege 2220 wbengine.exe Token: SeManageVolumePrivilege 2596 SearchIndexer.exe Token: 33 2596 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 2596 SearchIndexer.exe Token: 33 2888 wmpnetwk.exe Token: SeIncBasePriorityPrivilege 2888 wmpnetwk.exe Token: SeShutdownPrivilege 1608 mscorsvw.exe Token: SeShutdownPrivilege 1812 mscorsvw.exe Token: SeDebugPrivilege 1308 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe Token: SeDebugPrivilege 1308 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe Token: SeDebugPrivilege 1308 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe Token: SeDebugPrivilege 1308 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe Token: SeDebugPrivilege 1308 2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe Token: SeShutdownPrivilege 1608 mscorsvw.exe Token: SeShutdownPrivilege 1812 mscorsvw.exe Token: SeDebugPrivilege 2724 alg.exe Token: SeShutdownPrivilege 1608 mscorsvw.exe Token: SeShutdownPrivilege 1608 mscorsvw.exe Token: SeShutdownPrivilege 1608 mscorsvw.exe Token: SeShutdownPrivilege 1608 mscorsvw.exe Token: SeShutdownPrivilege 1812 mscorsvw.exe Token: SeShutdownPrivilege 1812 mscorsvw.exe Token: SeShutdownPrivilege 1812 mscorsvw.exe Token: SeShutdownPrivilege 1608 mscorsvw.exe Token: SeShutdownPrivilege 1812 mscorsvw.exe Token: SeShutdownPrivilege 1608 mscorsvw.exe Token: SeShutdownPrivilege 1812 mscorsvw.exe Token: SeShutdownPrivilege 1608 mscorsvw.exe Token: SeShutdownPrivilege 1812 mscorsvw.exe Token: SeShutdownPrivilege 1608 mscorsvw.exe Token: SeShutdownPrivilege 1812 mscorsvw.exe Token: SeShutdownPrivilege 1608 mscorsvw.exe Token: SeShutdownPrivilege 1812 mscorsvw.exe Token: SeShutdownPrivilege 1608 mscorsvw.exe Token: SeShutdownPrivilege 1812 mscorsvw.exe Token: SeShutdownPrivilege 1608 mscorsvw.exe Token: SeShutdownPrivilege 1812 mscorsvw.exe Token: SeShutdownPrivilege 1608 mscorsvw.exe Token: SeShutdownPrivilege 1812 mscorsvw.exe Token: SeShutdownPrivilege 1608 mscorsvw.exe Token: SeShutdownPrivilege 1812 mscorsvw.exe Token: SeShutdownPrivilege 1608 mscorsvw.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2024 EhTray.exe 2024 EhTray.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 2024 EhTray.exe 2024 EhTray.exe -
Suspicious use of SetWindowsHookEx 19 IoCs
pid Process 2020 SearchProtocolHost.exe 2020 SearchProtocolHost.exe 2020 SearchProtocolHost.exe 2020 SearchProtocolHost.exe 2020 SearchProtocolHost.exe 2952 SearchProtocolHost.exe 2952 SearchProtocolHost.exe 2952 SearchProtocolHost.exe 2952 SearchProtocolHost.exe 2952 SearchProtocolHost.exe 2952 SearchProtocolHost.exe 2952 SearchProtocolHost.exe 2952 SearchProtocolHost.exe 2952 SearchProtocolHost.exe 2952 SearchProtocolHost.exe 2952 SearchProtocolHost.exe 2952 SearchProtocolHost.exe 2952 SearchProtocolHost.exe 2020 SearchProtocolHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1608 wrote to memory of 2448 1608 mscorsvw.exe 45 PID 1608 wrote to memory of 2448 1608 mscorsvw.exe 45 PID 1608 wrote to memory of 2448 1608 mscorsvw.exe 45 PID 1608 wrote to memory of 2448 1608 mscorsvw.exe 45 PID 1608 wrote to memory of 2632 1608 mscorsvw.exe 66 PID 1608 wrote to memory of 2632 1608 mscorsvw.exe 66 PID 1608 wrote to memory of 2632 1608 mscorsvw.exe 66 PID 1608 wrote to memory of 2632 1608 mscorsvw.exe 66 PID 1608 wrote to memory of 868 1608 mscorsvw.exe 54 PID 1608 wrote to memory of 868 1608 mscorsvw.exe 54 PID 1608 wrote to memory of 868 1608 mscorsvw.exe 54 PID 1608 wrote to memory of 868 1608 mscorsvw.exe 54 PID 1608 wrote to memory of 2508 1608 mscorsvw.exe 61 PID 1608 wrote to memory of 2508 1608 mscorsvw.exe 61 PID 1608 wrote to memory of 2508 1608 mscorsvw.exe 61 PID 1608 wrote to memory of 2508 1608 mscorsvw.exe 61 PID 1608 wrote to memory of 1040 1608 mscorsvw.exe 63 PID 1608 wrote to memory of 1040 1608 mscorsvw.exe 63 PID 1608 wrote to memory of 1040 1608 mscorsvw.exe 63 PID 1608 wrote to memory of 1040 1608 mscorsvw.exe 63 PID 1608 wrote to memory of 1528 1608 mscorsvw.exe 81 PID 1608 wrote to memory of 1528 1608 mscorsvw.exe 81 PID 1608 wrote to memory of 1528 1608 mscorsvw.exe 81 PID 1608 wrote to memory of 1528 1608 mscorsvw.exe 81 PID 2596 wrote to memory of 2020 2596 SearchIndexer.exe 65 PID 2596 wrote to memory of 2020 2596 SearchIndexer.exe 65 PID 2596 wrote to memory of 2020 2596 SearchIndexer.exe 65 PID 2596 wrote to memory of 2632 2596 SearchIndexer.exe 66 PID 2596 wrote to memory of 2632 2596 SearchIndexer.exe 66 PID 2596 wrote to memory of 2632 2596 SearchIndexer.exe 66 PID 1608 wrote to memory of 1508 1608 mscorsvw.exe 67 PID 1608 wrote to memory of 1508 1608 mscorsvw.exe 67 PID 1608 wrote to memory of 1508 1608 mscorsvw.exe 67 PID 1608 wrote to memory of 1508 1608 mscorsvw.exe 67 PID 1608 wrote to memory of 2856 1608 mscorsvw.exe 68 PID 1608 wrote to memory of 2856 1608 mscorsvw.exe 68 PID 1608 wrote to memory of 2856 1608 mscorsvw.exe 68 PID 1608 wrote to memory of 2856 1608 mscorsvw.exe 68 PID 1608 wrote to memory of 1400 1608 mscorsvw.exe 69 PID 1608 wrote to memory of 1400 1608 mscorsvw.exe 69 PID 1608 wrote to memory of 1400 1608 mscorsvw.exe 69 PID 1608 wrote to memory of 1400 1608 mscorsvw.exe 69 PID 1608 wrote to memory of 2784 1608 mscorsvw.exe 70 PID 1608 wrote to memory of 2784 1608 mscorsvw.exe 70 PID 1608 wrote to memory of 2784 1608 mscorsvw.exe 70 PID 1608 wrote to memory of 2784 1608 mscorsvw.exe 70 PID 1608 wrote to memory of 2000 1608 mscorsvw.exe 83 PID 1608 wrote to memory of 2000 1608 mscorsvw.exe 83 PID 1608 wrote to memory of 2000 1608 mscorsvw.exe 83 PID 1608 wrote to memory of 2000 1608 mscorsvw.exe 83 PID 1608 wrote to memory of 112 1608 mscorsvw.exe 80 PID 1608 wrote to memory of 112 1608 mscorsvw.exe 80 PID 1608 wrote to memory of 112 1608 mscorsvw.exe 80 PID 1608 wrote to memory of 112 1608 mscorsvw.exe 80 PID 1608 wrote to memory of 2128 1608 mscorsvw.exe 73 PID 1608 wrote to memory of 2128 1608 mscorsvw.exe 73 PID 1608 wrote to memory of 2128 1608 mscorsvw.exe 73 PID 1608 wrote to memory of 2128 1608 mscorsvw.exe 73 PID 1608 wrote to memory of 572 1608 mscorsvw.exe 74 PID 1608 wrote to memory of 572 1608 mscorsvw.exe 74 PID 1608 wrote to memory of 572 1608 mscorsvw.exe 74 PID 1608 wrote to memory of 572 1608 mscorsvw.exe 74 PID 1608 wrote to memory of 1668 1608 mscorsvw.exe 75 PID 1608 wrote to memory of 1668 1608 mscorsvw.exe 75 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-08_97480e9c56a6dd102b546ec45740e324_magniber_revil_zxxz.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1308
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2724
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe1⤵
- Executes dropped EXE
PID:2772
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
PID:2476
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1208
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2448
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 258 -NGENProcess 240 -Pipe 254 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2632
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 248 -NGENProcess 1e0 -Pipe 244 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:868
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 25c -NGENProcess 1d8 -Pipe 250 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2508
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 258 -NGENProcess 264 -Pipe 248 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1040
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 24c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1528
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 268 -NGENProcess 25c -Pipe 23c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1508
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 26c -NGENProcess 258 -Pipe 260 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2856
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 1e8 -NGENProcess 25c -Pipe 240 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1400
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 274 -NGENProcess 1d4 -Pipe 1e0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2784
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 26c -NGENProcess 27c -Pipe 1e8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2000
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 26c -NGENProcess 278 -Pipe 1d4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:112
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 264 -NGENProcess 27c -Pipe 1d8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2128
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 284 -NGENProcess 258 -Pipe 25c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:572
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 28c -NGENProcess 278 -Pipe 288 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1668
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 264 -NGENProcess 294 -Pipe 284 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:860
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 26c -NGENProcess 274 -Pipe 278 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1772
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 298 -NGENProcess 27c -Pipe 290 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2496
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 28c -NGENProcess 274 -Pipe 294 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:112
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 29c -NGENProcess 26c -Pipe 258 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1528
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2a0 -NGENProcess 27c -Pipe 270 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1572
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2a4 -NGENProcess 274 -Pipe 264 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2000
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2a8 -NGENProcess 26c -Pipe 268 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2036
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 270 -NGENProcess 258 -Pipe 290 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1240
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 250 -NGENProcess 284 -Pipe 248 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2476
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 244 -NGENProcess 260 -Pipe 24c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:616
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 254 -NGENProcess 258 -Pipe 240 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1032
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 21c -NGENProcess 284 -Pipe 1f8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2804
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 21c -InterruptEvent 284 -NGENProcess 250 -Pipe 23c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2144
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 2a8 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:876
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 1c4 -NGENProcess 21c -Pipe 294 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2528
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 29c -NGENProcess 250 -Pipe 260 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2372
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 250 -NGENProcess 2a8 -Pipe 2a4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2720
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 2ac -NGENProcess 21c -Pipe 284 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2960
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 21c -NGENProcess 29c -Pipe 27c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2512
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 21c -InterruptEvent 26c -NGENProcess 2a8 -Pipe 1c4 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2976
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 2a8 -NGENProcess 2ac -Pipe 2a0 -Comment "NGen Worker Process"2⤵PID:1080
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 274 -NGENProcess 29c -Pipe 250 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1716
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 29c -NGENProcess 26c -Pipe 280 -Comment "NGen Worker Process"2⤵PID:1256
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 298 -NGENProcess 2ac -Pipe 21c -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2464
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 2ac -NGENProcess 274 -Pipe 28c -Comment "NGen Worker Process"2⤵PID:1988
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 2b8 -NGENProcess 26c -Pipe 2a8 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:948
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 26c -NGENProcess 298 -Pipe 2b4 -Comment "NGen Worker Process"2⤵PID:904
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 2c0 -NGENProcess 274 -Pipe 29c -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2816
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 274 -NGENProcess 2b8 -Pipe 2bc -Comment "NGen Worker Process"2⤵PID:1580
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 2c8 -NGENProcess 298 -Pipe 2ac -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1772
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 298 -NGENProcess 2c0 -Pipe 2c4 -Comment "NGen Worker Process"2⤵PID:876
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 2d0 -NGENProcess 2b8 -Pipe 26c -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2980
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2b8 -NGENProcess 2c8 -Pipe 2cc -Comment "NGen Worker Process"2⤵PID:1544
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2d8 -NGENProcess 2c0 -Pipe 274 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1196
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2c0 -NGENProcess 2d0 -Pipe 2d4 -Comment "NGen Worker Process"2⤵PID:1364
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2e0 -NGENProcess 2c8 -Pipe 298 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1592
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2c8 -NGENProcess 2d8 -Pipe 2dc -Comment "NGen Worker Process"2⤵PID:2884
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2e8 -NGENProcess 2d0 -Pipe 2b8 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:112
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2d0 -NGENProcess 2e0 -Pipe 2e4 -Comment "NGen Worker Process"2⤵PID:2300
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2f0 -NGENProcess 2d8 -Pipe 2c0 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1156
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2d8 -NGENProcess 2e8 -Pipe 2ec -Comment "NGen Worker Process"2⤵PID:2404
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2f8 -NGENProcess 2e0 -Pipe 2c8 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1344
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 2e0 -NGENProcess 2f0 -Pipe 2f4 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:1096
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 300 -NGENProcess 2e8 -Pipe 2d0 -Comment "NGen Worker Process"2⤵PID:1004
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 304 -NGENProcess 2fc -Pipe 270 -Comment "NGen Worker Process"2⤵PID:844
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 308 -NGENProcess 2f0 -Pipe 2d8 -Comment "NGen Worker Process"2⤵PID:2404
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 30c -NGENProcess 2e8 -Pipe 244 -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1508
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 2e8 -NGENProcess 304 -Pipe 2fc -Comment "NGen Worker Process"2⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1776
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 314 -NGENProcess 2e8 -Pipe 208 -Comment "NGen Worker Process"2⤵PID:1256
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 258 -NGENProcess 270 -Pipe 308 -Comment "NGen Worker Process"2⤵PID:1096
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 300 -NGENProcess 2e0 -Pipe 304 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:1004
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 318 -NGENProcess 2e8 -Pipe 20c -Comment "NGen Worker Process"2⤵PID:844
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 258 -NGENProcess 270 -Pipe 30c -Comment "NGen Worker Process"2⤵PID:2020
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 320 -NGENProcess 2e0 -Pipe 2f0 -Comment "NGen Worker Process"2⤵PID:2608
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 324 -NGENProcess 2e8 -Pipe 314 -Comment "NGen Worker Process"2⤵PID:1772
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 328 -NGENProcess 270 -Pipe 31c -Comment "NGen Worker Process"2⤵PID:1776
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 32c -NGENProcess 2e0 -Pipe 300 -Comment "NGen Worker Process"2⤵PID:1988
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 330 -NGENProcess 2e8 -Pipe 318 -Comment "NGen Worker Process"2⤵PID:1096
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 334 -NGENProcess 270 -Pipe 258 -Comment "NGen Worker Process"2⤵PID:1460
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 338 -NGENProcess 2e0 -Pipe 320 -Comment "NGen Worker Process"2⤵PID:1624
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 33c -NGENProcess 2e8 -Pipe 324 -Comment "NGen Worker Process"2⤵PID:2372
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 340 -NGENProcess 270 -Pipe 328 -Comment "NGen Worker Process"2⤵PID:1984
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 344 -NGENProcess 2e0 -Pipe 32c -Comment "NGen Worker Process"2⤵PID:292
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 348 -NGENProcess 2e8 -Pipe 330 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:1976
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 34c -NGENProcess 270 -Pipe 334 -Comment "NGen Worker Process"2⤵PID:2096
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 350 -NGENProcess 2e0 -Pipe 338 -Comment "NGen Worker Process"2⤵PID:876
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 354 -NGENProcess 2e8 -Pipe 33c -Comment "NGen Worker Process"2⤵PID:2684
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 358 -NGENProcess 270 -Pipe 340 -Comment "NGen Worker Process"2⤵PID:1860
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 35c -NGENProcess 2e0 -Pipe 344 -Comment "NGen Worker Process"2⤵PID:2372
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 360 -NGENProcess 2e8 -Pipe 348 -Comment "NGen Worker Process"2⤵PID:2192
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 364 -NGENProcess 270 -Pipe 34c -Comment "NGen Worker Process"2⤵PID:2792
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 368 -NGENProcess 2e0 -Pipe 350 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:1668
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 36c -NGENProcess 2e8 -Pipe 354 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:2544
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 370 -NGENProcess 270 -Pipe 358 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:2112
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 374 -NGENProcess 2e0 -Pipe 35c -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:2588
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 2e0 -NGENProcess 374 -Pipe 378 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:964
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 37c -NGENProcess 270 -Pipe 364 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:2004
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 380 -NGENProcess 360 -Pipe 368 -Comment "NGen Worker Process"2⤵
- Modifies data under HKEY_USERS
PID:2528
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 384 -NGENProcess 374 -Pipe 36c -Comment "NGen Worker Process"2⤵PID:1740
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 388 -NGENProcess 270 -Pipe 2e8 -Comment "NGen Worker Process"2⤵PID:588
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 38c -NGENProcess 360 -Pipe 370 -Comment "NGen Worker Process"2⤵PID:1528
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 390 -NGENProcess 374 -Pipe 2e0 -Comment "NGen Worker Process"2⤵PID:2664
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 394 -NGENProcess 270 -Pipe 37c -Comment "NGen Worker Process"2⤵PID:1860
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 398 -NGENProcess 360 -Pipe 380 -Comment "NGen Worker Process"2⤵PID:1964
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1812 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2516
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2060
-
-
C:\Windows\system32\dllhost.exeC:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}1⤵
- Executes dropped EXE
PID:1104
-
C:\Windows\ehome\ehRecvr.exeC:\Windows\ehome\ehRecvr.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2960
-
C:\Windows\ehome\ehsched.exeC:\Windows\ehome\ehsched.exe1⤵
- Executes dropped EXE
PID:2164
-
C:\Windows\eHome\EhTray.exe"C:\Windows\eHome\EhTray.exe" /nav:-21⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2024
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1656
-
C:\Windows\system32\IEEtwCollector.exeC:\Windows\system32\IEEtwCollector.exe /V1⤵
- Executes dropped EXE
PID:1852
-
C:\Windows\ehome\ehRec.exeC:\Windows\ehome\ehRec.exe -Embedding1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1676
-
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2328
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:868
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1576
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2844
-
C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:3044
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"1⤵
- Executes dropped EXE
PID:680
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:1268
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:372
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:772
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:836
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2400
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2220
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:2876
-
C:\Program Files\Windows Media Player\wmpnetwk.exe"C:\Program Files\Windows Media Player\wmpnetwk.exe"1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2888
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"2⤵
- Suspicious use of SetWindowsHookEx
PID:2020
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 5962⤵PID:2632
-
-
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2952
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
706KB
MD52da0c8751b10d6d3341764f2d904bed5
SHA1a71581591d5751a2f93e83bd536ca92386a24d06
SHA25616ed55201143c4d085e5702ed6f38f60192d015ed1613b7d792b63fc73141e58
SHA512704970bee1d666e7271e1f7ace8981f9ff41ee320057f7cbb8a0c862a8f3f034a5cc38397eb40f9c4f92d36b98d5c9baec9603cefb5884169516523883853755
-
Filesize
30.1MB
MD5a67910fe17eca6c58aebb02c66019737
SHA15a1d5bc652fbaa9568e517abed56e41e505b32a7
SHA25683ede337fa97ee192352cc18a390f35bd95ef1b8922e79d099efb495748d9d89
SHA51281ca00e264b6e8c2790b4d9a5745a42ce0b61725db9848a7efb7371aa1651d1dbf5bca24a7531ef09ddf40ffcff82ee1d359c3a3a26be5a8e888b849b7fd1f79
-
Filesize
781KB
MD5e8d4a5b767fb882001aeb2613980a7c4
SHA11716b2d9ca498fd86ee26e599909516d46b89fc1
SHA2566b4533ccac2560512b6e4f95700fc6679b2c738e1f8dfcef025ba9bc58c42451
SHA51277ba14eeba6c75f08421beb802df530a9b76aa595468171475556f8af8fa0654c985084dbb6fc4fbaa6a6b07716bfc09677f299a43c5904c5e187fe626cbeb05
-
Filesize
5.2MB
MD555d5669f070dc0dd8321f7f8c3fcf363
SHA1e60a303532eaf4f2e1085f61674680329f6b0e47
SHA2561d2edadf0c8cf3638c2447b5f12a59f7a60b440397a819709dc8d828fe6989e4
SHA51264ef7a640173243d1c6b79e95254c69819e229e3110ccb89c68084a2f0ffaf319a58c04eb6cdbc4c9ff15e09c624263dab230916da0ef721db22084e132956d3
-
Filesize
2.1MB
MD5db66d825f5f9bab2e47011f0e359f34a
SHA1e9fe664c722206e78d6951ddfba1eeadba12c2e1
SHA2562634eab0d6fbb9e2b4939adc1ccfade27881df07f4b5a38143df3d0855c3876e
SHA5127631d06b4b22f8733471cc6518c1d9b9e2c4d71cc54d05b44d8291adf9b691098ccf1c1c5e74ef243a746f06600cc9bf602b23a8f2e3980f4edb2766ce40a618
-
Filesize
2.0MB
MD548021257b27bf54d95ed56a813a6fa35
SHA1bb39a1f2bd077e4908d45577cce4b8be04795109
SHA256c773899153c0680392aa18ce9fca7f1da561d0dd2414ce4fcf8aa14dd79f482f
SHA51238370f7b49206a5f3ff40c275ec45d3c1ecb28521f9a27cbdbffcdaed450e7195428b72595e3d36e89b5e28ac39b3f6c5bd08d08470917f948981c2ca3234643
-
Filesize
1024KB
MD5e4e8bd22f7cb41cb482ed6d096f5454a
SHA1fd9e9fbb155380f3cebd918891f934e7e2b9939f
SHA2564e7e364eb559c776fce47c248d882a8f06d7dacc08355e2254d1893c742042e7
SHA512a7e93e1d162fe82c3ee30d315777bee259ea8bf362fe6309b18a5c7b28bd311fbcefb14442b1618e8d75e37faf03ac9542b1969c15b503aa589e128ee9b4d93a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms
Filesize24B
MD5b9bd716de6739e51c620f2086f9c31e4
SHA19733d94607a3cba277e567af584510edd9febf62
SHA2567116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312
SHA512cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478
-
Filesize
872KB
MD5bf237e680fa0d0e7b285ee22ed3d9dac
SHA1c8d36a0b323cb46f75e300157bbfd1ad82807699
SHA2565912a2e961320e4abcd595475877573098a86b3807051c59f985f6ff157bab5d
SHA512c2a9816bef5455f4488bf0c7ad1fcd6e9d89a92a82a5f5f07c5599f6cb46965f49366b0309dd3e50728622fbd8434e17cc3de3bdb3aa81d6c8ba05cebb5b143e
-
Filesize
678KB
MD521149fcea3ec4119ff5a5e4910bc8e2e
SHA13a92f00bc8e32bdf9e472c2f05c8f8995020c05b
SHA2569fb2dde0033817108a4473d70fe8153235be656061f1299b8262e755bc7ded87
SHA51205085322e0acf659e8a8087e480f7c5fa452dea271633395d646bb2193baddd5b15b0beaed9b5def72ccba49ff363109d8e6776c305d5321b547b1d2c574f50e
-
Filesize
625KB
MD51c3d5d2c800b3db0cadc12b4f151803f
SHA1257034885525f2354f173c982c901795a63d48af
SHA256e0d57dd2e49d3cf1c2d21878fc8aee8bbee3ada5e6ccd6a70555dc78e6ca62b6
SHA512e5f1ae15d2ba90026bbf86ac7c1d88fe2354e1c84fb16dc51e412053ffe63947548668df52801368a14146564e2d826ae6f5211a54dabaaed760e196f675a938
-
Filesize
1003KB
MD5fa830c710b5876c074c8bfb7ab014a9b
SHA1e854b8ec3e35dfe1e27112bfc580d29e6f9cc362
SHA256a2959bd1dc1d4b08cdd07d24bf9a7f84cb3c4dad30bf4c993c5093904fb28ef2
SHA51249893312d1400ec1cd8121a0240e30cda2d408f9fc004239df93d3960083a099097fcd1f40e21e89a864e375a426d93716a2229044a70ba9cf180b35d1a39ea8
-
Filesize
656KB
MD5a6a4eb2c6a777ffd2e44fa977073a193
SHA12bad40056fc3a0a15fd21806b45e927ab73b92d9
SHA256c8ee82dec30f8e26e87c455e4a01d8ee08835ea90418071ff7adea423c402a51
SHA5125977d63237111f5ef9ed672518aa89963dace9193e3b6edf0a23b0618c386a11281a0d29263c9ca3584af5b780cd67adc4967b9c3728cb70a7e284d32cf4f5b0
-
Filesize
8KB
MD5cb624741e3f8fdacdf0c20bd6836d34f
SHA1c72e12e5b2e03b61e33fc037beec808434274425
SHA256c828f68247221e0626778402ca7c66e1631b755772771dfa32cdbcbc64b629a5
SHA512c28f0a73b9ff6dcc7e8baad2cb8568626e50ef95fa5d54efb3d775ce0dc333d62a5578da6006fc45c9f4db673b851eadfc1466ffb6c6d8887de4fa1b37b7853e
-
Filesize
587KB
MD5578128e76a8d3d99c2d11274aa0ecc19
SHA1d09b1c3c395d8137ea99845b4e32727fc4d513a7
SHA2560c193e6b22ab69cb8b849ccb3a6c5e545b44ac2bd729e5f74c96d7e8ed51015e
SHA51269aaf6028fe3c49d2913d84551dd73f8b5632df0968830b5e74a9fc6c02b39b569e3d47e0d4c3a984fb46ccd7763b7327ce62653243514b6678852e1ca5e1112
-
Filesize
1.1MB
MD56c2d656cccbbc115e54b9bfa5884bda0
SHA10a95b93db6e9790b233cb68b48cd3c4a14931153
SHA256c22a041221271cd8c4b861e10003972fe932fb6f12bb572e0a579cdcc18877d9
SHA51271c3e26ef490f95ab3c8ba5f2300f6b0e47caadc59b3dd669c10a0eb96eaf23dc0aba110b3c995958678cdfed2fad032347818e754f08d97c826e6a4249e5ccb
-
Filesize
2.1MB
MD578e24679555db7aef66ec182c1abcf8b
SHA1c167daa7596352d8f68c9efd4679f3293288bb29
SHA256bdaef4c18719f4f5dcd822d8c0c4ab72a11db710ccc1df34de70ea66185f2ff8
SHA5125b3e9e543753b44c0893331c2c8180d00efc45dd084766cc2863d8a5cbb61e0901cec7aca617a6f15402b62adcfc332e28ff3f9e4d1c42d1a17f84bcaa06fab0
-
Filesize
581KB
MD5573f15a8d49bcd291b295d5a8b180598
SHA1b34a1999b7d6d150e4f82b1b1fd056c29f267b88
SHA256a3286b88caf04fb160aab4cf203cc78ee0942aa9d9cbf84062ca2c71b4d607c8
SHA512b89c08fb1fc7a00b11cbdce91ccd96b5ea14401841b0cdf2f75688944c5e6e1f766f13c69d9a5cfc83f916e300c401c070b7dafce0457ffa8be1c129e44d0a55
-
Filesize
1.1MB
MD56f25a2a9b48622ba36fdd25b89b87658
SHA18a51a852ff006dd77d526c773ecccad837704791
SHA25699f95b53cd99b472c8d336ed4a986f62ebbcf1cd174d527471dc161ce98d8134
SHA512d04854f87ae5c583ee7cec0de659fe76f749e9f0fd3027ac0d245b49f3c15303e09c0bce99269d0ca61a0014cfcfde38f50440b6888955347724660bb06e32b3
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll
Filesize148KB
MD5ac901cf97363425059a50d1398e3454b
SHA12f8bd4ac2237a7b7606cb77a3d3c58051793c5c7
SHA256f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58
SHA5126a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll
Filesize34KB
MD5c26b034a8d6ab845b41ed6e8a8d6001d
SHA13a55774cf22d3244d30f9eb5e26c0a6792a3e493
SHA256620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3
SHA512483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll
Filesize109KB
MD50fd0f978e977a4122b64ae8f8541de54
SHA1153d3390416fdeba1b150816cbbf968e355dc64f
SHA256211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60
SHA512ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll
Filesize41KB
MD53c269caf88ccaf71660d8dc6c56f4873
SHA1f9481bf17e10fe1914644e1b590b82a0ecc2c5c4
SHA256de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48
SHA512bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\525025517cd26beae4329f51bd735f21\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll
Filesize180KB
MD51d9b48719050e3a8bb232d92fbb623d3
SHA13a9d2164d429b46d7eaaf0bee9123ad6d728c0d1
SHA256e3ac43a753a1ddfb61a216be3790663374a4cc50f02f14a3c1a706e55160d7f2
SHA5126871c99b87a5a2450c6fbf78e3cfbfcd48b19ca0c6690af898637f690d60e1da5def2f204c4dafe2ff631dff19298ee60f810fc96a3c4c11aa4fbcec0d76ae3c
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll
Filesize210KB
MD54f40997b51420653706cb0958086cd2d
SHA10069b956d17ce7d782a0e054995317f2f621b502
SHA2568cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553
SHA512e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll
Filesize53KB
MD5e3a7a2b65afd8ab8b154fdc7897595c3
SHA1b21eefd6e23231470b5cf0bd0d7363879a2ed228
SHA256e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845
SHA5126537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll
Filesize28KB
MD5aefc3f3c8e7499bad4d05284e8abd16c
SHA17ab718bde7fdb2d878d8725dc843cfeba44a71f7
SHA2564436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d
SHA5121d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll
Filesize27KB
MD59c60454398ce4bce7a52cbda4a45d364
SHA1da1e5de264a6f6051b332f8f32fa876d297bf620
SHA256edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1
SHA512533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll
Filesize57KB
MD56eaaa1f987d6e1d81badf8665c55a341
SHA1e52db4ad92903ca03a5a54fdb66e2e6fad59efd5
SHA2564b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e
SHA512dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll
Filesize130KB
MD52735d2ab103beb0f7c1fbd6971838274
SHA16063646bc072546798bf8bf347425834f2bfad71
SHA256f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3
SHA512fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f030ae7a0ac8395493f8afcd319ee692\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll
Filesize143KB
MD5f786ebe6116b55d4dc62a63dfede2ca6
SHA1ab82f3b24229cf9ad31484b3811cdb84d5e916e9
SHA2569805ae745d078fc9d64e256d4472c0edd369958a6872d71bd28d245a0239fe12
SHA51280832872329611c5c68784196f890859f6f7c5795f6a62542ad20be813e587341b36ade410363646c43f9ced48d2cf89a4537fe60d90e868324270f7040c2738
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f120672a100bab920ff3a94363fc32e6\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll
Filesize83KB
MD58096037b0aeb7e4266066110f84eb403
SHA109435a274f44416eeae427ac126050934d739472
SHA2563831ef96ff81e90255e518668f4a708c394249e3f67e166a2992ca7260ca890f
SHA512806b0b14ff4119dab6762e0564bc526322c69f785dcf6023f631de4b44124842a902fd0e0239bdade213d768b88f01bfac3cfd3078e02fea7b51ddbd8382afb8
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll
Filesize59KB
MD58c69bbdfbc8cc3fa3fa5edcd79901e94
SHA1b8028f0f557692221d5c0160ec6ce414b2bdf19b
SHA256a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d
SHA512825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll
Filesize42KB
MD571d4273e5b77cf01239a5d4f29e064fc
SHA1e8876dea4e4c4c099e27234742016be3c80d8b62
SHA256f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575
SHA51241fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP817F.tmp\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.dll
Filesize187KB
MD52661318e8f9d2ded53f7dae0f81ac3f8
SHA1aa6e4b255f76ca3604cebb3811855f55cf6a9e4a
SHA2567f2337a79ff3ffb6bcc89deb2401e6a816ccede319290533718b63456cd9302c
SHA5127413da0be77b508fe81c37b79504770c73d7023a4bf58ff429a07abe9b4accc7dbb380f74757b21bff9c508cda32cb27d6a3bef0800441538eed057d335073b3
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll
Filesize855KB
MD57812b0a90d92b4812d4063b89a970c58
SHA13c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea
SHA256897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543
SHA512634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll
Filesize43KB
MD53e72bdd0663c5b2bcd530f74139c83e3
SHA166069bcac0207512b9e07320f4fa5934650677d2
SHA2566a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357
SHA512b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626
-
Filesize
691KB
MD56de87e8de40373bc3462ce2278ea59b5
SHA17f06f8db78fcecbd97df14b3c330977894512954
SHA256679a255563400c47213674ec097e13d2cd4483fdc4cd5c595191e57fe650e6a7
SHA512355846497ba636ad297c1fcf7be033fbede3d0496ed9484b09d619c2fd74b2b2e30af3111e51b993a59447103780376051f52898610e9d7a5be4ed0f23dfe7b5
-
Filesize
648KB
MD5b80e03698830b14841baf33148848e2a
SHA1ccf181f7d2c5eae98c354b8afca7c271398c8102
SHA256d879750b44ecb2f9e182395f5ebb3942653d8c1bf8b5dea96c0ed56a5dbe6caf
SHA512685ed9774f07815d9772eab6794d3e17e964a0065a32cef26325a0d1cda5b9637154541da8be925e9eee4990dff29fd034652cbc78028322f4b692eb726b393f
-
Filesize
603KB
MD5e15c8a43d69b5055ed9216d3ae0cedd1
SHA1e10974d2b5d1e0c63cc61d380645d6d1577e10ed
SHA2564dc42c296a54617eafd21295874561d57208c24f1092d9c5dfc0515b86151393
SHA5126756a607a88581ece6b8516b3cb0e567874e01e6b2ccc2ef1ec4bcfa36cccceff690863f1f6cbc9d25090bf970cbff3cc6603b6c9e95bead20d65c4c233e374a
-
Filesize
577KB
MD5d9fe1c412247fbfee0d78bb287d6e8f4
SHA1668c895566c8ad7e9abc54cfec5d40e663625713
SHA256c2c42bb6c7dd6993a27869cb51d3e16cda47a384e60c79e5561ba3eee4f3dce8
SHA5121141e20934656d9cf04fa66d06a18899cad0208801a5fe46237fc9078b093daee36266d3fcd42590cde09831b47f750fceee1b2f4140eea53e16ca0e7c394aa1
-
Filesize
644KB
MD51d04a330c9aa8fbc836747242b955a40
SHA1cf4dc2fec2ea8e2b40e274cc6b06111fad59878d
SHA25657c405f4176319820fc842eed0da8e03c92a7baa4b505deb1c904daa5d0056a5
SHA5129a85e3e49cf7a0eadde0f066e6d32731fc49af2fdc019630d7e6e5293276cf2094eda452f2a926f8c1ef937d0a0705ea2b9e621124f79deebbeb07029c3349a9
-
Filesize
577KB
MD512c9ecd00d057411950e6bcb67567a24
SHA1d98c119e87128c023353ac51d51802ee0a81939a
SHA256c906fa6fda6ff6a86551ad93f5a9733ec64044d0cfe6750a6e5dd595f056c7d2
SHA5120526e1b135119edb185af13c46b5d03557b5f401687c59898fdf2cbd4b9fb95a90419e14ce8a77ab926459d7157d194b42a906751fa95ba61cd9301ec017a2b4
-
Filesize
674KB
MD5bed66c9124952870ce831653796b2a9b
SHA1fde46987bf0e506133bc092e148d44c2a17ff39b
SHA2564f8d66fc517cfa7b35d711c6d138bb00e31b4bf656e379b0366ea417bcaf6792
SHA512f7efb884c62da4315b05c8505df994d26b443ffb73de9e5afd4c0eba35c158dcf97380675ed19ec747a722a0556e3da1ac306922295e0ab731ae73508e0740a3
-
Filesize
705KB
MD56c9fd641088dc2141ed93de4bc00eed2
SHA1b34d338649ada64c7941a0022bfb7bc2bb43e399
SHA2562d3b93555b2f7857d385a2ee473134d8ba7a245d8dc6243701dd1204d04acbad
SHA512afa32f81fe66ad62f813f9d4f712b2f25f52d3125f10855dd078ad8ad13888acc3ff28ff89ffd8b7d0988d8eb5b5b6e60f06153165e0172bdc057745c7de61b9
-
Filesize
691KB
MD53ea8fbf44cc6d0415e97b47156d31c3a
SHA126f3aa04f56dd26b52278cc217c0bc08fc8010a1
SHA25652d401b18afd6b2a6fc68b9d5d039ebb8eee045f875c49cd1bbda29f11d0fa67
SHA5123b6a16b52f1199ea015568c90d6e35e3c0238625ba9741a3b48f5bf05f075c23ffe2f82a00690fcc1321ac4e6e2f1dd547721995eee20a9a5b2fcaf764f4a76a
-
Filesize
765KB
MD55f6ad7c6c81bff2a9ae74c0f18f2ee06
SHA133b04c52e229056a40613d7d7de1df0172a14431
SHA2564bb215e644b87e4d7e381cc6fd9ab168255265d9f91630b3caa8380466fda89f
SHA51257ed72b2a4f939924b6bd5babcd16b9c9e679ae0c7d6827ec5007271f062acdc84ab8fcd9e3c24d62cbcd255ee856e3070aa9bc155669bcda9dc694069fa1525
-
Filesize
2.0MB
MD587450c3aa41609914f40adf87ed09ac0
SHA194a6e68aab51db3879132ef131132eb6b1e9204a
SHA256d959788da837942ec0119c03508e6bf59c2e482432ab6ca5174e21d0a3b953d5
SHA5129b3f5fbda7b3b78634ab00dabb01fa6230a0a1b11beff22dd122bb53f19908b9d838031f94da38d9c042af811af625d3009a9823afa7e3dac86f2d395c76cc3c
-
Filesize
1.2MB
MD59ca040daeaffcb36465a9466932ad9eb
SHA1ad5c8feb104d2b226db8f6d78f27af2716d14c48
SHA256507a2451d2d4e37c9aba5e2b16c699718a8f5cd2927bcf7a34933b98407978d5
SHA5124eb5c34a2f0b740ca4ea5216f3eca1d926a9c2d7a837cbd3e2134ab661314e93b394627cfac1c6c419fc0dd6f15ec8aa18f08d432fb84dd5135613e9d2a943a6