Malware Analysis Report

2024-11-30 02:41

Sample ID 240407-wfvztsae94
Target 2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil
SHA256 aac3b7d99fda6f1f5bb0c48cb147fcda1694c67d0955db3e0c855f8245c40e85
Tags
discovery spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

aac3b7d99fda6f1f5bb0c48cb147fcda1694c67d0955db3e0c855f8245c40e85

Threat Level: Shows suspicious behavior

The file 2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery spyware stealer

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Checks installed software on the system

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Checks processor information in registry

Uses Task Scheduler COM API

Uses Volume Shadow Copy WMI provider

Suspicious behavior: LoadsDriver

Uses Volume Shadow Copy service COM API

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 17:52

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 17:52

Reported

2024-04-07 17:54

Platform

win7-20240221-en

Max time kernel

48s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\4510063f78a61a12.bin C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe N/A
File opened for modification C:\Windows\system32\IEEtwCollector.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe N/A
File opened for modification C:\Windows\System32\alg.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe N/A
File opened for modification C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{88EAB8A4-EFFC-434B-9DD5-CB32003FDBE9}.crmlog C:\Windows\system32\dllhost.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\ehome\ehsched.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe N/A
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\ehome\ehRecvr.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe N/A
File created C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{88EAB8A4-EFFC-434B-9DD5-CB32003FDBE9}.crmlog C:\Windows\system32\dllhost.exe N/A
File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7" C:\Windows\ehome\ehRecvr.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit C:\Windows\ehome\ehRecvr.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\ehome\ehRecvr.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft C:\Windows\ehome\ehRecvr.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie C:\Windows\ehome\ehRecvr.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit C:\Windows\ehome\ehRecvr.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: 33 N/A C:\Windows\eHome\EhTray.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\eHome\EhTray.exe N/A

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe"

C:\Windows\System32\alg.exe

C:\Windows\System32\alg.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\system32\dllhost.exe

C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}

C:\Windows\ehome\ehRecvr.exe

C:\Windows\ehome\ehRecvr.exe

C:\Windows\ehome\ehsched.exe

C:\Windows\ehome\ehsched.exe

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Windows\eHome\EhTray.exe

"C:\Windows\eHome\EhTray.exe" /nav:-2

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"

C:\Windows\system32\IEEtwCollector.exe

C:\Windows\system32\IEEtwCollector.exe /V

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"

C:\Windows\ehome\ehRec.exe

C:\Windows\ehome\ehRec.exe -Embedding

C:\Windows\System32\msdtc.exe

C:\Windows\System32\msdtc.exe

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"

C:\Windows\SysWow64\perfhost.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\system32\locator.exe

C:\Windows\system32\locator.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

"C:\Program Files\Windows Media Player\wmpnetwk.exe"

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\SearchIndexer.exe /Embedding

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 244 -NGENProcess 22c -Pipe 240 -Comment "NGen Worker Process"

C:\Windows\system32\SearchProtocolHost.exe

"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"

C:\Windows\system32\SearchFilterHost.exe

"C:\Windows\system32\SearchFilterHost.exe" 0 584 588 596 65536 592

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 1c8 -NGENProcess 1d8 -Pipe 1dc -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 1c8 -NGENProcess 1d8 -Pipe 1e0 -Comment "NGen Worker Process"

Network

Country Destination Domain Proto
US 8.8.8.8:53 api2.amplitude.com udp
US 52.41.122.210:443 api2.amplitude.com tcp
US 8.8.8.8:53 pywolwnvd.biz udp
US 8.8.8.8:53 pywolwnvd.biz udp
US 8.8.8.8:53 ssbzmoy.biz udp
ID 34.128.82.12:80 ssbzmoy.biz tcp
US 8.8.8.8:53 ssbzmoy.biz udp
ID 34.128.82.12:80 ssbzmoy.biz tcp
US 8.8.8.8:53 cvgrf.biz udp
US 104.198.2.251:80 cvgrf.biz tcp
US 8.8.8.8:53 cvgrf.biz udp
US 104.198.2.251:80 cvgrf.biz tcp
US 8.8.8.8:53 npukfztj.biz udp
US 34.174.61.199:80 npukfztj.biz tcp
US 8.8.8.8:53 npukfztj.biz udp
US 34.174.61.199:80 npukfztj.biz tcp
US 8.8.8.8:53 przvgke.biz udp
US 72.52.178.23:80 przvgke.biz tcp
US 8.8.8.8:53 przvgke.biz udp
US 72.52.178.23:80 przvgke.biz tcp
US 72.52.178.23:80 przvgke.biz tcp
US 72.52.178.23:80 przvgke.biz tcp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
ID 34.128.82.12:80 knjghuig.biz tcp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
ID 34.128.82.12:80 knjghuig.biz tcp
US 8.8.8.8:53 uhxqin.biz udp
US 8.8.8.8:53 anpmnmxo.biz udp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 uhxqin.biz udp
US 8.8.8.8:53 anpmnmxo.biz udp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
RU 82.112.184.197:80 lpuegx.biz tcp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 vjaxhpbji.biz udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 vjaxhpbji.biz udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 xlfhhhm.biz udp
US 34.29.71.138:80 xlfhhhm.biz tcp
US 8.8.8.8:53 xlfhhhm.biz udp
US 34.29.71.138:80 xlfhhhm.biz tcp
US 8.8.8.8:53 ifsaia.biz udp
SG 34.143.166.163:80 ifsaia.biz tcp
US 8.8.8.8:53 ifsaia.biz udp
SG 34.143.166.163:80 ifsaia.biz tcp
US 8.8.8.8:53 saytjshyf.biz udp
US 34.67.9.172:80 saytjshyf.biz tcp
US 8.8.8.8:53 vcddkls.biz udp
ID 34.128.82.12:80 vcddkls.biz tcp
US 8.8.8.8:53 saytjshyf.biz udp
US 34.67.9.172:80 saytjshyf.biz tcp
US 8.8.8.8:53 vcddkls.biz udp
ID 34.128.82.12:80 vcddkls.biz tcp
US 8.8.8.8:53 fwiwk.biz udp
US 67.225.218.6:80 fwiwk.biz tcp
US 67.225.218.6:80 fwiwk.biz tcp
US 8.8.8.8:53 fwiwk.biz udp
US 67.225.218.6:80 fwiwk.biz tcp
US 8.8.8.8:53 tbjrpv.biz udp
NL 34.91.32.224:80 tbjrpv.biz tcp
US 67.225.218.6:80 fwiwk.biz tcp
US 8.8.8.8:53 deoci.biz udp
US 34.174.78.212:80 deoci.biz tcp
US 8.8.8.8:53 tbjrpv.biz udp
NL 34.91.32.224:80 tbjrpv.biz tcp
US 8.8.8.8:53 gytujflc.biz udp
US 208.100.26.245:80 gytujflc.biz tcp
US 8.8.8.8:53 deoci.biz udp
US 34.174.78.212:80 deoci.biz tcp
US 8.8.8.8:53 qaynky.biz udp
US 8.8.8.8:53 gytujflc.biz udp
US 208.100.26.245:80 gytujflc.biz tcp
SG 34.143.166.163:80 qaynky.biz tcp
US 8.8.8.8:53 qaynky.biz udp
SG 34.143.166.163:80 qaynky.biz tcp
US 8.8.8.8:53 bumxkqgxu.biz udp
US 34.174.61.199:80 bumxkqgxu.biz tcp
US 8.8.8.8:53 dwrqljrr.biz udp
US 34.41.229.245:80 dwrqljrr.biz tcp
US 8.8.8.8:53 bumxkqgxu.biz udp
US 34.174.61.199:80 bumxkqgxu.biz tcp
US 8.8.8.8:53 dwrqljrr.biz udp
US 34.41.229.245:80 dwrqljrr.biz tcp
US 8.8.8.8:53 nqwjmb.biz udp
US 8.8.8.8:53 ytctnunms.biz udp
US 34.174.206.7:80 ytctnunms.biz tcp
US 8.8.8.8:53 ytctnunms.biz udp
US 8.8.8.8:53 myups.biz udp
US 34.174.206.7:80 ytctnunms.biz tcp
US 165.160.15.20:80 myups.biz tcp
US 8.8.8.8:53 myups.biz udp
US 165.160.13.20:80 myups.biz tcp
US 8.8.8.8:53 oshhkdluh.biz udp
US 34.41.229.245:80 oshhkdluh.biz tcp
US 8.8.8.8:53 oshhkdluh.biz udp
US 34.41.229.245:80 oshhkdluh.biz tcp
US 8.8.8.8:53 yunalwv.biz udp
US 8.8.8.8:53 jpskm.biz udp
US 8.8.8.8:53 lrxdmhrr.biz udp
US 34.41.229.245:80 lrxdmhrr.biz tcp
US 8.8.8.8:53 wllvnzb.biz udp
ID 34.128.82.12:80 wllvnzb.biz tcp
US 8.8.8.8:53 gnqgo.biz udp
US 34.174.78.212:80 gnqgo.biz tcp
US 8.8.8.8:53 jhvzpcfg.biz udp
US 34.67.9.172:80 jhvzpcfg.biz tcp
US 8.8.8.8:53 acwjcqqv.biz udp
ID 34.128.82.12:80 acwjcqqv.biz tcp
US 8.8.8.8:53 lejtdj.biz udp
US 8.8.8.8:53 vyome.biz udp
US 8.8.8.8:53 yunalwv.biz udp
US 8.8.8.8:53 jpskm.biz udp
US 8.8.8.8:53 yauexmxk.biz udp
US 34.174.78.212:80 yauexmxk.biz tcp
US 8.8.8.8:53 iuzpxe.biz udp
SG 34.143.166.163:80 iuzpxe.biz tcp
US 8.8.8.8:53 lrxdmhrr.biz udp
US 34.41.229.245:80 lrxdmhrr.biz tcp
US 8.8.8.8:53 wllvnzb.biz udp
ID 34.128.82.12:80 wllvnzb.biz tcp
US 8.8.8.8:53 sxmiywsfv.biz udp
SG 34.143.166.163:80 sxmiywsfv.biz tcp
US 8.8.8.8:53 gnqgo.biz udp
US 34.174.78.212:80 gnqgo.biz tcp
US 8.8.8.8:53 vrrazpdh.biz udp
US 34.168.225.46:80 vrrazpdh.biz tcp
US 8.8.8.8:53 jhvzpcfg.biz udp
US 34.67.9.172:80 jhvzpcfg.biz tcp
US 8.8.8.8:53 acwjcqqv.biz udp
US 8.8.8.8:53 ftxlah.biz udp
ID 34.128.82.12:80 acwjcqqv.biz tcp
US 104.155.138.21:80 ftxlah.biz tcp
US 8.8.8.8:53 lejtdj.biz udp
US 8.8.8.8:53 vyome.biz udp
US 8.8.8.8:53 yauexmxk.biz udp
US 34.174.78.212:80 yauexmxk.biz tcp
US 8.8.8.8:53 iuzpxe.biz udp
SG 34.143.166.163:80 iuzpxe.biz tcp
US 8.8.8.8:53 typgfhb.biz udp
SG 34.143.166.163:80 typgfhb.biz tcp
US 8.8.8.8:53 sxmiywsfv.biz udp
SG 34.143.166.163:80 sxmiywsfv.biz tcp
US 8.8.8.8:53 esuzf.biz udp
US 34.168.225.46:80 esuzf.biz tcp
US 8.8.8.8:53 vrrazpdh.biz udp
US 8.8.8.8:53 gvijgjwkh.biz udp
US 34.168.225.46:80 vrrazpdh.biz tcp
US 34.174.206.7:80 gvijgjwkh.biz tcp
US 8.8.8.8:53 qpnczch.biz udp
US 8.8.8.8:53 ftxlah.biz udp
US 104.155.138.21:80 ftxlah.biz tcp
US 34.162.170.92:80 qpnczch.biz tcp
US 8.8.8.8:53 brsua.biz udp
US 8.8.8.8:53 typgfhb.biz udp
NL 35.204.181.10:80 brsua.biz tcp
SG 34.143.166.163:80 typgfhb.biz tcp
US 8.8.8.8:53 dlynankz.biz udp
DE 85.214.228.140:80 dlynankz.biz tcp
US 8.8.8.8:53 oflybfv.biz udp
US 34.29.71.138:80 oflybfv.biz tcp
US 8.8.8.8:53 yhqqc.biz udp
US 34.168.225.46:80 yhqqc.biz tcp
US 8.8.8.8:53 esuzf.biz udp
US 34.168.225.46:80 esuzf.biz tcp
US 8.8.8.8:53 mnjmhp.biz udp
US 34.29.71.138:80 mnjmhp.biz tcp
US 8.8.8.8:53 gvijgjwkh.biz udp
US 34.174.206.7:80 gvijgjwkh.biz tcp
US 8.8.8.8:53 opowhhece.biz udp
US 34.29.71.138:80 opowhhece.biz tcp
US 8.8.8.8:53 qpnczch.biz udp
US 34.162.170.92:80 qpnczch.biz tcp
US 8.8.8.8:53 brsua.biz udp
NL 35.204.181.10:80 brsua.biz tcp
US 8.8.8.8:53 dlynankz.biz udp
DE 85.214.228.140:80 dlynankz.biz tcp
US 8.8.8.8:53 oflybfv.biz udp
US 8.8.8.8:53 yhqqc.biz udp
US 34.168.225.46:80 yhqqc.biz tcp
US 8.8.8.8:53 zjbpaao.biz udp
US 8.8.8.8:53 jdhhbs.biz udp
SG 34.143.166.163:80 jdhhbs.biz tcp
US 8.8.8.8:53 mnjmhp.biz udp
US 34.29.71.138:80 mnjmhp.biz tcp
US 8.8.8.8:53 opowhhece.biz udp
US 8.8.8.8:53 mgmsclkyu.biz udp
US 34.29.71.138:80 opowhhece.biz tcp
NL 34.91.32.224:80 mgmsclkyu.biz tcp
US 8.8.8.8:53 warkcdu.biz udp
US 8.8.8.8:53 zjbpaao.biz udp
ID 34.128.82.12:80 warkcdu.biz tcp
US 8.8.8.8:53 jdhhbs.biz udp
SG 34.143.166.163:80 jdhhbs.biz tcp
US 8.8.8.8:53 gcedd.biz udp
SG 34.143.166.163:80 gcedd.biz tcp
US 8.8.8.8:53 mgmsclkyu.biz udp
NL 34.91.32.224:80 mgmsclkyu.biz tcp
US 8.8.8.8:53 warkcdu.biz udp
ID 34.128.82.12:80 warkcdu.biz tcp
US 8.8.8.8:53 jwkoeoqns.biz udp
US 34.41.229.245:80 jwkoeoqns.biz tcp
US 8.8.8.8:53 gcedd.biz udp
SG 34.143.166.163:80 gcedd.biz tcp
US 8.8.8.8:53 xccjj.biz udp
US 34.162.170.92:80 xccjj.biz tcp
US 8.8.8.8:53 hehckyov.biz udp
US 34.174.61.199:80 hehckyov.biz tcp
US 8.8.8.8:53 rynmcq.biz udp
US 8.8.8.8:53 jwkoeoqns.biz udp
US 34.41.229.245:80 jwkoeoqns.biz tcp
US 8.8.8.8:53 xccjj.biz udp
US 34.162.170.92:80 xccjj.biz tcp
US 8.8.8.8:53 hehckyov.biz udp
US 34.174.61.199:80 hehckyov.biz tcp
US 8.8.8.8:53 rynmcq.biz udp
US 8.8.8.8:53 uaafd.biz udp
NL 35.204.181.10:80 uaafd.biz tcp
US 8.8.8.8:53 eufxebus.biz udp
ID 34.128.82.12:80 eufxebus.biz tcp

Files

memory/2988-0-0x0000000000860000-0x00000000008C7000-memory.dmp

memory/2988-1-0x0000000000400000-0x000000000085A000-memory.dmp

memory/2988-7-0x0000000000860000-0x00000000008C7000-memory.dmp

memory/2988-6-0x0000000000860000-0x00000000008C7000-memory.dmp

\Windows\System32\alg.exe

MD5 be7b2ca1f615c157dcdcdada2c6ffa8b
SHA1 6c51035b468bf4ab11deea95a78c648ad8542add
SHA256 a69d5661e47a305cb21ff2c2887cf5d7a832a592efa574293a5ab6828670cacf
SHA512 5b10aed5baf8b15f58657fa3eb085558be3d1c648feebb9c841ca29487e38c3fdd0a35dd60900de4b5ec245e674447ef5e16afafc652ba4fcb455171c5de4c28

memory/2068-13-0x0000000100000000-0x00000001001E3000-memory.dmp

\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

MD5 bdf66db218c96d077ab69d078e4e616d
SHA1 1f30f3657c2fdb923c34f01a24188fd70bec1ba7
SHA256 f86ec08f05aecb70c2613901839203f433893342c7c5e7a08c9ec76fe0f05d5c
SHA512 922eedae987ec9d1e7bf33aa11ce21e8e0f677548367fd997a539bf0590530c161ea0a446f7debc342712a1b56c5ef2b4cc18d4c143094fef253abf139d6dddd

memory/2628-17-0x0000000140000000-0x00000001401DC000-memory.dmp

memory/2628-18-0x00000000005D0000-0x0000000000630000-memory.dmp

memory/2628-25-0x00000000005D0000-0x0000000000630000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

MD5 eb89a13b297b78e64b248a1dfb0280df
SHA1 0757422830a81656d4aa6e241520ab62b3157e90
SHA256 ccc49933ae7ac16e5e48edc4759cf66e130f8bf8cd7d5cd11c18473e98ed74a5
SHA512 c4b41b52df3e269950058124fc2a0286bbc74b087c3fab244fb72bd0db8cfe94b9811944d515519c6ca475ae4965966f49b6aff05df96f0aa1eb720e5bba3afd

memory/2696-30-0x0000000010000000-0x00000000101DE000-memory.dmp

memory/2696-31-0x00000000004D0000-0x0000000000537000-memory.dmp

memory/2696-37-0x00000000004D0000-0x0000000000537000-memory.dmp

\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

MD5 22e78101544223fdf88347a4eb36c31a
SHA1 7de9f62ff9acab6f305137b79d1b49c74c517635
SHA256 a5e77f51d36fb86c81077e06dc54a416549f409b53a65051813d5b936e74c045
SHA512 ba5b97a0570fec9b68e9a27cbd342c22d3d363f2130514394bc44df8fadce625f155c23a1dbfbca3d9c1fddb28f83c51f8fdba513c6137c30f3a3068634ceea9

memory/2420-47-0x0000000010000000-0x00000000101E6000-memory.dmp

memory/2420-48-0x0000000000710000-0x0000000000770000-memory.dmp

memory/2420-54-0x0000000000710000-0x0000000000770000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar176E.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

memory/2988-93-0x0000000003A80000-0x0000000003A81000-memory.dmp

memory/2988-94-0x0000000000400000-0x000000000085A000-memory.dmp

memory/2068-95-0x0000000100000000-0x00000001001E3000-memory.dmp

memory/2628-96-0x0000000140000000-0x00000001401DC000-memory.dmp

memory/2696-97-0x0000000010000000-0x00000000101DE000-memory.dmp

memory/2420-98-0x0000000010000000-0x00000000101E6000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

MD5 f96aeb54538753c7e679318ecaff0289
SHA1 910d76a6f6e705310d3cbd2f997259653fe90dc2
SHA256 5ebd1f160a600159af6d5b479adff3a2980931edbc0a0a979f8471e862d32510
SHA512 a896ccd0f2fb9a55ead32b022a8d005472868cba79e0fa4b6134c8ed9ef02a7d9e69d8920dc129a43585534acc96907cb12e8f425e054fbf73302d7b2a9df029

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

MD5 1f85a1ae87dc0bc52160ded190803b7d
SHA1 f4b11762d769d2ef3fb640ac47597a7a35a8c817
SHA256 a6f45d6b647f0d254677b48dc4977b295c0ef9cc4eedc5323ddf8781ecd6f675
SHA512 cac97a125cd7ce4387185b3e33ba5d0c0c58c96cb72459b0c949f060bba34ed4f923a6c426dbd91a061ae208fd3d73c4c12df504d832e991855e4d7c7cb6d870

memory/2484-105-0x00000000002C0000-0x0000000000327000-memory.dmp

memory/2484-107-0x0000000000400000-0x00000000005E7000-memory.dmp

memory/2484-111-0x00000000002C0000-0x0000000000327000-memory.dmp

memory/1280-118-0x0000000000420000-0x0000000000480000-memory.dmp

memory/1280-120-0x0000000140000000-0x00000001401ED000-memory.dmp

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

MD5 3a9cf37a930c597ca60a68422e27dc3a
SHA1 23d0ffde5eee79f57713100ecf09906a80cf724c
SHA256 a431aa0cec35c35eb7cde6894270ea7deec868e071659f561d5a958a5ca2c476
SHA512 0a2be229aed783b362bc071a3c5f7d1bac5722f0f71772ddec7fbe9f69d26fbabc01c2c2b9d662771251bfdfe50d355e2d1e4633e0683758c76b582090195ad8

memory/1280-126-0x0000000000420000-0x0000000000480000-memory.dmp

\Windows\System32\dllhost.exe

MD5 dc62eacfe3ef3ebee93cac18ff36b3cb
SHA1 ae52f899be1c6b0443b341fe9e3b958e4800f194
SHA256 6a4bdf4c4f02b4015422db8273aaee9eb3c6c1b52387757b7f3ed30e26be762d
SHA512 4584f99e1cdc62e4e888a15474a77d902b1dfbc1b3a44b2eb19f0a9ab817b11c9507dfe0cb2d85964332a3d6e076f9e15705809cfafbc015606dbe4d775ae47b

memory/1684-135-0x00000000002D0000-0x0000000000330000-memory.dmp

memory/1684-137-0x0000000100000000-0x00000001001D4000-memory.dmp

memory/1684-142-0x00000000002D0000-0x0000000000330000-memory.dmp

\Windows\ehome\ehrecvr.exe

MD5 e3ce4fadf29f2fda97a934a6a866d7b0
SHA1 12a70db7931c36261c3ef04a01d60a5052f82b7c
SHA256 b60fe081fdd246649cb9547e9f5e72ff54e06675177d58e1ff6fd5c6ee0fed6f
SHA512 91782cf1a5f2780143752cce9afa40101f42eaf47a402f28f4a77d664129d3ba2e15dd5e3e2e9d4d33ca6abc33d84d5aa0437670740211d30cdc4b9a795e7de3

memory/1484-148-0x0000000000A80000-0x0000000000AE0000-memory.dmp

memory/1484-149-0x0000000140000000-0x000000014013C000-memory.dmp

memory/1484-156-0x0000000000A80000-0x0000000000AE0000-memory.dmp

\Windows\ehome\ehsched.exe

MD5 5929993209ccb7f96975f6681208b536
SHA1 df8a7efb40d77289f046bc9f361fdf515a491907
SHA256 4ec68772f24ca2fc3726afa0a02a4ae3a512c61801417a56842ee2fc14def35d
SHA512 6e1c5e5c40bd0f2c153a324e47bac9e745e0ea891cf1be15e5fb4cbc3758b11a1bb05960e10f16097189283b85f8c413a5579388fe96d0dcbed99976dc3ef9e3

memory/548-163-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/548-169-0x0000000000B80000-0x0000000000BE0000-memory.dmp

memory/2484-176-0x0000000000400000-0x00000000005E7000-memory.dmp

memory/1484-177-0x0000000001A30000-0x0000000001A31000-memory.dmp

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

MD5 1d0087efe3b8d422e0da053368933d8a
SHA1 b307d256afc31057ea62dd7d813bf08f71b7549f
SHA256 ca9c8909d9a46ac693f86edfdb53c6ac125f55416380d519a50c5d49ca0b52fe
SHA512 9a42841c05a113f1b96ac70ce205c293ca7cebe5a6af70f813cf5b05f44af4dab483d26c958a8f3dcef670909dcaa335c4ed5a19bc5338c5ba8316733d8691cb

memory/2128-182-0x0000000140000000-0x0000000140237000-memory.dmp

memory/1280-188-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/2128-190-0x00000000001E0000-0x0000000000240000-memory.dmp

memory/1784-193-0x0000000140000000-0x00000001401ED000-memory.dmp

C:\Windows\System32\ieetwcollector.exe

MD5 e4748fa873698bbd6b6edb94b370095e
SHA1 d3dbd5e108fbcb47c3285dcaca49ca40f9a2cdbd
SHA256 6e165a97e540b1a3e59b7e864ac64913a3acd3d24122de823206b3d56f00d982
SHA512 0ba31b5583ffad488dac677ad5acbb84423bc9210d86e83de6bfd3806730de5419689c55b84cd851bd1c6b39fadf26272993831a209dc127a5007c74b33163e6

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

MD5 77454098de522d8ffe3a994b0c0b37bf
SHA1 abe2bbfc541287210542f4add9e78f117ab1cc3a
SHA256 b0c6cb21ca7329b2e57d7efbdfba4d9b31a0d8f0e86d2b7fbbc06ed6a42897a2
SHA512 e527b038908298e23b2f3f0fb40f65c82feac03cab13ab954c6f22eed1362ee26a74bc95d6bb8ae4432f19b2933b487f6dbab26b1d32c1c7a96d0b0fe5fd17fe

memory/1684-201-0x0000000100000000-0x00000001001D4000-memory.dmp

memory/1596-206-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/2332-214-0x000000002E000000-0x000000002FE1E000-memory.dmp

memory/1784-216-0x0000000000410000-0x0000000000470000-memory.dmp

memory/1484-218-0x0000000140000000-0x000000014013C000-memory.dmp

memory/2332-217-0x0000000000540000-0x00000000005A7000-memory.dmp

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

MD5 1e04153b52f699d7de613e3159082681
SHA1 c58a4ce171b85c21ab54b89f4cb33be6013c83ec
SHA256 357711d8cb72ffbe7f7fc2619f486b38ab08d0626ba031fef1f573157b306489
SHA512 5572319f8df2e4bc3f70f47a72984b02a50fd360c2966db56a5b001f84076eb6fedc4f9ff9fe47c7fb774ba00239a4d09b3ce2d04c6e68b6fb29263a09fb9a43

memory/2452-230-0x0000000140000000-0x0000000140209000-memory.dmp

memory/2452-231-0x0000000000F90000-0x0000000000FF0000-memory.dmp

memory/548-233-0x0000000140000000-0x00000001401F1000-memory.dmp

\Windows\System32\msdtc.exe

MD5 f6dd35591cb8a6a3ea4e9e470ad14730
SHA1 1be037d38c4ccfa1749af49fff5fd68bf56a3d1e
SHA256 0a183680ef5aef6645bec443c9549196edc2cdef52536c77a578c6bd0338667a
SHA512 aa13581bae9743bf818b2b5d4ba645a4818d947fb3358cb78b5b7411f7c852d1b878a90b85aa3007b78e3193dcd36cb316dda6c4bc55a3581647b79fe653cca4

\Windows\System32\msiexec.exe

MD5 408d59bb1e0acecd476fe3f61082bbf3
SHA1 e714973577246a88d64d8f114eb881744e12b1ff
SHA256 7078927d17f29d1be45f444ededc1bcd18c4bd708b9ff74f0eb5dbf37270e233
SHA512 a36645da9627f50109fac31d224d63b6f0a5f84b1f6e0e24fffb8daddfef79cce45846e0db031854ebf103a6b88e5d869adcb3fc42402ea65c6c2947c2625f83

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

MD5 14e2dd4c8285527da0e4e678f5b1150e
SHA1 e16506807275ad156f0db72ee5d87f1138def2f2
SHA256 212bd71fcaa8dcb65ead92f0c753409c79472ed64631bfad9ad9eaf61afde062
SHA512 b92e32ef8ca345566ba873954308f3537674defa17000be6773aa453b8c7b679cd7a34a085b794620451df282286a1f0b97c33c029195e834f40f6dddb89f950

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

MD5 64063c7723efa071bdfd84d40087513d
SHA1 36614b90c9f357350089c3075d8849dcf9d1bde2
SHA256 8d598be4b888bda31c1aa52dd2215103c0079881f30f94f1845f9c40a1ea1de2
SHA512 1e5629a1a0593be54fa47f097a46aff827f7aa1a14344dd9ae04fc36198f7c4cf973572e9e643ca3bee1961d76518eefd625b8e08c6ff02d6f315d4bebb1befe

C:\Windows\SysWOW64\perfhost.exe

MD5 29d8c2fb1c3d94a0d85077b1b59ecb9f
SHA1 a1c44e3a0efc833a25ac719309e5d1b00d4ad0eb
SHA256 a4958641cf2f9402cf638dfc22b6763fc59ea39f69a732cdd10abb471e345ca4
SHA512 62ed97903903388a15061286614acac42c38c522be78012edb909ebd4dbef082b42ff95168c852254f46990d337ed6b7d5e9f4004e557207a5277046b7f9e469

\Windows\System32\Locator.exe

MD5 2384ab24cb576708645b53f94b1ce760
SHA1 1b2f9fe1c6e75b9bcd6ab3c3f0a62a8e6c717945
SHA256 b02f00af9b0b220695b53e467a37765ed37d855361ce814c5c33db62b5bae24d
SHA512 60c98e18cea5234dc227027af94cb86ea396e7841737618dac3bc74519af23d719c4d535c78e482b19fc601f6813010db90c3ed286249c2181b26b43a6b207ac

C:\Windows\System32\snmptrap.exe

MD5 1e70a2f17d1a544dccc8b0e3923dd6d3
SHA1 0bc16c241caedd4e1b9a276d144183ad57fe980e
SHA256 fd9688530da6efa7c857ab6601e48ec5fa3c1a2146e388693f9523eb94f257bb
SHA512 1bd870b26d432c19a57fdf01b9aa8844d23d41377893771ebceea381437180f97dbf9781914dfbde070d67f038617e5c3e6e74652ce5bad85aa26eef969cba11

C:\Windows\System32\vds.exe

MD5 42ed96c0df19f2b4466c74894773a7da
SHA1 d2d134cb80a5e6ac71ca3860726b284239d9d09e
SHA256 7825f51d1bed20284f067ebd255a40ac387468a9701343784eaf10024f68aefd
SHA512 bcc0ebfbb40ff014f0cd20f096ecb7e7438b638936e80328ff208395ca024ba6595d92df937e4bbd64e22636771901cca7397702807adf6e9e9d17f5925d2630

C:\Windows\System32\VSSVC.exe

MD5 90a5d2643a8c237e3984d1ce162d1e51
SHA1 73f2094e94436e08bd7b99ad7f2bb2031b8ccee4
SHA256 c2c4ead1f7f14078bc8928efe2d0faf38cb6179d2752956400e9e5a3dcb3145a
SHA512 795293e88671ec987237fb46f4f3075c2d4d784ae4a5282578c3b8b02bb145679bb6b521caa2fa1b80d43abeffa484ad6b0b0062bab8029624d15e93bf2342f4

\Windows\System32\wbengine.exe

MD5 ab6f7de37c5d1f8e62c1a595926a2b39
SHA1 8957024f821341f7cd975e054d82f8e37faa63b6
SHA256 970a3478223a2623c8518d58e11f4d96dec04024c4f30a435ca7741f1327db4d
SHA512 df60e8d28a9660b2dc59a4d4c203844146654367de4f421d68d27e570724f75fe2bbb65e82996c85d3d81331dc4cc5028349084651e284fa5c456766af4dbaf0

\Windows\System32\wbem\WmiApSrv.exe

MD5 55a8b263134a31af806c7458ac8ad905
SHA1 6e5df187f42d0bbde1fc4c11865a41d415ca77bc
SHA256 44f901a710bb411af7a2fe29b73080f21322a10bd2d27b55e9ed035e4a9f11d6
SHA512 52a7c2cfab61ca68ff17cb621059307f6f4fcfd56fcf17d22834b614189cf1c7d71eca358b3157ac5fe4e174a07cf4b497faba5fa25fe182122f1411e77354d1

\Program Files\Windows Media Player\wmpnetwk.exe

MD5 de25e6409cbb7009b8cb804499953f6c
SHA1 a07a69c98fcaf4c98236061161c14a1fafd8b593
SHA256 bcef5c7187f3f9222ab47637b1ca4e4fbf1fd6ab52b30705a2981b612f97ed0c
SHA512 2e4bf5ff634bf77111234c14900501aee273b87376286a04570cac09e6838a4055d30caf88e5e1f65e2c0b4095a344bb64531a9c28ae08fdf0ab6296e3e35f67

C:\Windows\System32\SearchIndexer.exe

MD5 1d8662ae9088aab5fb5b302ed4e8b2ed
SHA1 80edde8dc47340873674947f48e36a0cda7bd277
SHA256 e2475eada85f72f5f2803e18b22fa92f2a339525b0a5c3a3fd8df8a24529b10f
SHA512 75d1a83488f72543cd58aea621131f677baf8174be6498597aea8c48e39f506abc663fd71e7bd34fce7e5b3f0f2306730805a0682163682317d36b915b5950e6

memory/2500-302-0x000007FEF48A0000-0x000007FEF523D000-memory.dmp

memory/2500-304-0x0000000000EB0000-0x0000000000F30000-memory.dmp

memory/2500-305-0x000007FEF48A0000-0x000007FEF523D000-memory.dmp

memory/2400-306-0x00000000005E0000-0x00000000007D1000-memory.dmp

memory/1040-307-0x000000002E000000-0x000000002E1F4000-memory.dmp

memory/1040-308-0x00000000003F0000-0x0000000000457000-memory.dmp

memory/2184-309-0x0000000100000000-0x0000000100542000-memory.dmp

memory/2472-310-0x0000000001000000-0x00000000011D5000-memory.dmp

memory/2472-311-0x0000000000230000-0x0000000000297000-memory.dmp

memory/1320-312-0x0000000100000000-0x00000001001D4000-memory.dmp

memory/2212-313-0x0000000100000000-0x00000001001D5000-memory.dmp

memory/2800-314-0x0000000100000000-0x0000000100253000-memory.dmp

memory/2012-316-0x0000000100000000-0x0000000100219000-memory.dmp

memory/588-317-0x0000000100000000-0x0000000100202000-memory.dmp

memory/988-323-0x0000000100000000-0x0000000100203000-memory.dmp

memory/2236-330-0x0000000100000000-0x000000010020A000-memory.dmp

memory/2236-347-0x0000000000840000-0x00000000008A0000-memory.dmp

memory/2236-387-0x000007FEF1B60000-0x000007FEF1C88000-memory.dmp

memory/2508-373-0x0000000000D90000-0x0000000000DF0000-memory.dmp

memory/1484-416-0x0000000001A30000-0x0000000001A31000-memory.dmp

memory/2864-414-0x0000000140000000-0x00000001401F5000-memory.dmp

memory/2400-438-0x0000000100000000-0x00000001001F1000-memory.dmp

memory/2508-364-0x0000000100000000-0x0000000100123000-memory.dmp

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

MD5 395b90b5d6e98603b7ffaddbc8383fb3
SHA1 0a6cbbddf032fbc48d9563957c84d12b3d5c2067
SHA256 b378a93abe22dd1b2c4f2bd3025f2141e4bf6b75519956d7f50815f372eb8dfd
SHA512 4ac46bb9d50f3fb2486b547ed590624d21ae72f4eccc65b92413cd0944585d2bb69af48832729d3640ca6054f31e45654ddd93b8d26eb449393298eb37834821

memory/1784-564-0x000007FEF5D40000-0x000007FEF672C000-memory.dmp

memory/2184-565-0x0000000073DA8000-0x0000000073DBD000-memory.dmp

memory/1568-567-0x00000000001E0000-0x0000000000240000-memory.dmp

memory/2236-566-0x000007FEF2030000-0x000007FEF20CE000-memory.dmp

C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

MD5 5fc8bbf0947d51e98a53b6556df947e8
SHA1 41b8322f1f69d4ea01b40b56646ff79976b9249a
SHA256 4489866a7d9578183f8f71f1a3523ffbd67fd9ffc10ba619c04ac54f45204059
SHA512 ddcf4f1b0c3163fccd5fc0e751070a3ed53ba97294d39be8eecef6ac05cfa3fb5c1403c4eeb377fa198fa4fd797ee2c42a37b6f6e7ecc7bebab4a21c1b98b7f4

C:\Program Files\7-Zip\Uninstall.exe

MD5 245d8a41bc63eb6582ba281fa0912c2b
SHA1 cdc8e93b5a47a8532924cb07b73a882798190cce
SHA256 17bd1a9fba7960b9eeb32ea0da0612aa83f73c6eac2f413c092aaba36109964d
SHA512 e745b81b7134556948c5aa60283cdb787c6b5d8fbbfacbf3cafde99e684a11c6984f493a582a1997fadaf7215f835fdff0dddecced5d61349e329288e51f1ec3

C:\Program Files\7-Zip\7zG.exe

MD5 3310238c2c655caf23587a5f7eb1a26d
SHA1 69363e0ef04d31dae105cf3e9707ae4ee15b3198
SHA256 9432a98a2222a723fa6b82205795487d46958c9512a32c66e1de66edd55065c8
SHA512 9bfeaf2c323a55243018782e69675803f5e5cadfe4d8b49646f8a6bd6e622c30c7b635783ca357fbc8662003cbf9176931934884a94aa06af393fe7105d68e18

C:\Program Files\7-Zip\7zFM.exe

MD5 7e9e407ad56df3af58a1889fb91625d7
SHA1 337daa9d0dcd64caefdd7797860e967c152ef328
SHA256 52a1ff94679a3e21749f2f635b2fdcbde1c06346d816a4334281e21a4200998b
SHA512 038b217bc33b009372c532a8e276553197e736e44c3a943255523b2088b2a3336ff9e26c0231844884586a9dba10e273442dd6beba8bffd410324d9833107927

C:\Program Files\7-Zip\7z.exe

MD5 7e962ebf24172bc33c01a724eb82317e
SHA1 e943c9c359a3cea27e5986f4ec90d8088ee0f8fe
SHA256 206818f179fddc42ec47db1ee4c92a7e74008c9d3b5f8abd75a10fc959e9b519
SHA512 a0b3a41b55155c797d3ef254483ec2598d4adf5b7b916adf8ca6f868507843d8bb4ca3faeb2a204af57d1ecbb70b18943a485722fd92b860ea287a8805759c67

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

MD5 3a90dc1b397b191b957bca5dd6de2736
SHA1 a8f0a94c504554e1421ac7bbd800078992e62951
SHA256 7768c10e57c0d9d9db162f7bb168d2637e260989ff4b7fb95d989b6a98e74054
SHA512 412af2739ccff1035b34f2b59df98fc3f4b07e7e2b952f4e8cb460c78a5df7a4a8159124e15608cf18075dbd5cf81507bc3078a66632c26f3a2da5dd0c6ca8b8

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

MD5 56255fd6af5d4a6062a14ed9edd6dc91
SHA1 d9c37adb0e4dcfc144561c05033ec85f79d71506
SHA256 fde27f621bf256e22be348b0d28bf495422ef890251941fdc57dd6d51e4f9287
SHA512 51f3a012ad561abb31ea47704701f50f450a92d20dd7ec2f0004dbff2de67b4ecb46ccc68916b00f4ba86f5927fcebb62d36cb40bd4bf444d012e429369f644c

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

MD5 8811dc19834557d81b91aec5d29f6d52
SHA1 f3bfa9f7bc8ae0c90581caaf4634db8c328e4ec3
SHA256 3b2cbf53a4fd4098097bfaacdd7427c8d4d175948664a682282951680a36fe1c
SHA512 4cc0c582b118c921cf8a339b8f8b241ff46f17784fddee2f2139539ae05ce48614c019c894bc24a115be68c823ff5ed1b2fceaa5ea4140ad6526fcc45a3e864c

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

MD5 b0dd5bb1911b50c1e75f0ffe2302504b
SHA1 34418b34d8ad6645f4912222c8f736ef67a81883
SHA256 3b43bb40e06464affe5cf6dd1b7966f5ccc1991687e7fd66ee7df209f9defc29
SHA512 af6dcd97af1e5c84af399dd54233d6214ca4883b191f92b5d765106eaa29e0924a3e811d6d7ef4760fb2204003408aa63a9926552002b36bd32d3a6fbfdc8048

C:\Windows\system32\fxssvc.exe

MD5 200bbcc6ed0a41b441c32339c2b83f12
SHA1 8599e00d5051457a1ce8aebec310df5d006f7ea6
SHA256 c7392131c24d13d1f8bffe1d0bde6356ebde03bc662aba5342f8cb847f745344
SHA512 2aba4fe2b981c16548127bd105b26a2b0dbfdbe49e75ee4b4c8d7cfa64f38f0339529426fbba5920e942e9bacd01d1e0592a19b5ebb26997b6c87a5f8b63a751

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 17:52

Reported

2024-04-07 17:54

Platform

win10v2004-20240226-en

Max time kernel

62s

Max time network

68s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\dllhost.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\c7cffcbe8642d83.bin C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe N/A
File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe N/A
File opened for modification C:\Windows\system32\SearchIndexer.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe N/A
File opened for modification C:\Windows\System32\alg.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe N/A
File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe N/A
File opened for modification C:\Windows\system32\spectrum.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe N/A
File opened for modification C:\Windows\system32\TieringEngineService.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe N/A
File opened for modification C:\Windows\system32\vssvc.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe N/A
File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe N/A
File opened for modification C:\Windows\system32\locator.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe N/A
File opened for modification C:\Windows\System32\snmptrap.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe N/A
File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe N/A
File opened for modification C:\Windows\system32\AgentService.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe N/A
File opened for modification C:\Windows\system32\wbengine.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe N/A
File opened for modification C:\Windows\System32\msdtc.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe N/A
File opened for modification C:\Windows\SysWow64\perfhost.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe N/A
File opened for modification C:\Windows\System32\SensorDataService.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe N/A
File opened for modification C:\Windows\system32\SgrmBroker.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe N/A
File opened for modification C:\Windows\System32\vds.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_120515\javaws.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe N/A
File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_120515\javaw.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe N/A
File opened for modification C:\Windows\DtcInstall.log C:\Windows\System32\msdtc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\TieringEngineService.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\TieringEngineService.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004c43e87f1489da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" C:\Windows\system32\SearchIndexer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000beb8de7f1489da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" C:\Windows\system32\fxssvc.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\fxssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\TieringEngineService.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\TieringEngineService.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\AgentService.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: 33 N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe"

C:\Windows\System32\alg.exe

C:\Windows\System32\alg.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv

C:\Windows\system32\fxssvc.exe

C:\Windows\system32\fxssvc.exe

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"

C:\Windows\System32\msdtc.exe

C:\Windows\System32\msdtc.exe

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE

"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\system32\locator.exe

C:\Windows\system32\locator.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\system32\spectrum.exe

C:\Windows\system32\spectrum.exe

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc

C:\Windows\system32\TieringEngineService.exe

C:\Windows\system32\TieringEngineService.exe

C:\Windows\system32\AgentService.exe

C:\Windows\system32\AgentService.exe

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\SearchIndexer.exe /Embedding

C:\Windows\system32\SearchProtocolHost.exe

"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"

C:\Windows\system32\SearchFilterHost.exe

"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3668 --field-trial-handle=3016,i,1323102786462900035,7687994236215859601,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 pywolwnvd.biz udp
US 8.8.8.8:53 api2.amplitude.com udp
US 52.10.216.31:443 api2.amplitude.com tcp
US 8.8.8.8:53 31.216.10.52.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 ssbzmoy.biz udp
ID 34.128.82.12:80 ssbzmoy.biz tcp
ID 34.128.82.12:80 ssbzmoy.biz tcp
US 8.8.8.8:53 12.82.128.34.in-addr.arpa udp
US 8.8.8.8:53 cvgrf.biz udp
US 104.198.2.251:80 cvgrf.biz tcp
US 8.8.8.8:53 cvgrf.biz udp
US 104.198.2.251:80 cvgrf.biz tcp
US 8.8.8.8:53 npukfztj.biz udp
US 34.174.61.199:80 npukfztj.biz tcp
US 8.8.8.8:53 npukfztj.biz udp
US 34.174.61.199:80 npukfztj.biz tcp
US 8.8.8.8:53 251.2.198.104.in-addr.arpa udp
US 8.8.8.8:53 199.61.174.34.in-addr.arpa udp
US 8.8.8.8:53 przvgke.biz udp
US 8.8.8.8:53 przvgke.biz udp
US 72.52.178.23:80 przvgke.biz tcp
US 72.52.178.23:80 przvgke.biz tcp
US 72.52.178.23:80 przvgke.biz tcp
US 72.52.178.23:80 przvgke.biz tcp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
ID 34.128.82.12:80 knjghuig.biz tcp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
ID 34.128.82.12:80 knjghuig.biz tcp
US 8.8.8.8:53 23.178.52.72.in-addr.arpa udp
US 8.8.8.8:53 uhxqin.biz udp
US 8.8.8.8:53 anpmnmxo.biz udp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 uhxqin.biz udp
US 8.8.8.8:53 anpmnmxo.biz udp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
RU 82.112.184.197:80 lpuegx.biz tcp
RU 82.112.184.197:80 lpuegx.biz tcp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 vjaxhpbji.biz udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 vjaxhpbji.biz udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp

Files

memory/1988-0-0x0000000000400000-0x000000000085A000-memory.dmp

memory/1988-1-0x0000000002710000-0x0000000002777000-memory.dmp

memory/1988-7-0x0000000002710000-0x0000000002777000-memory.dmp

memory/1988-6-0x0000000002710000-0x0000000002777000-memory.dmp

C:\Windows\System32\alg.exe

MD5 d337cca1c50f0aac64aeb2121dbaba08
SHA1 8bf2e2b301b446a9f9d6811a8aa9937bed8b9356
SHA256 9a2aac63074e0368267b5c81526cea245ec7398053b4bdf39292578050fd8f0f
SHA512 b98c2b2946e17ebe922adaed5d93a067b649889c0005478e1270f1ef461b70bd2b7aa5fa5d4061d6cb2c70d6c256afd5260c23e02578cd72105886c037ec9bb0

memory/4360-12-0x0000000140000000-0x00000001401E9000-memory.dmp

C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

MD5 2385b539513655d4428fefcdba4ead7f
SHA1 8282b72e7853bbf4374f3933ee1f4fc09553a720
SHA256 94997d2b4f4668fa26fe34ce0e292389966bb2ba4b9ad4ad35485fd40d1522e7
SHA512 bbdb0a885e42431d81fa5d295c505f94ade68f4e572dca428c8c35f3155bd72d4ddf78681fd0ba8e6898f0627befd347bf0c74f56cfbca7bd2072f7552aa4e33

memory/4500-17-0x0000000140000000-0x00000001401E8000-memory.dmp

memory/4500-16-0x0000000000710000-0x0000000000770000-memory.dmp

memory/4500-23-0x0000000000710000-0x0000000000770000-memory.dmp

memory/4500-24-0x0000000000710000-0x0000000000770000-memory.dmp

C:\Windows\System32\FXSSVC.exe

MD5 6fc1ea2ae5ec2d8ac3b36dda313d6d9b
SHA1 ec55b7b0803da4691722437cf644370d70c304bc
SHA256 ca5f5f7d6f1f68df592bfa165ba2a44a451855bc9cefe8bb4ff974f3ffaf6446
SHA512 f2bf3c190faeb70bb0cf43e4befd9c88d8a1b7274e7d4f5d69a1e59a9d4c83e610a06619e6022c8cead57cb966feb0d1862e21e3fa8c53e2c3095619032754cc

memory/3004-29-0x0000000140000000-0x0000000140135000-memory.dmp

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

MD5 5e66674d50423b93c62ea00f094e5707
SHA1 cbb85ed803effd8388d7396426786b12d38e7903
SHA256 4a71aab5bbc481d847f1472d96103c5c984ebce3c8ef61ec0885de2f2f56f8b0
SHA512 12a7486af42e87836cb5ac1177ae45bca94a03eff225ddbab4e6d0fd2d5aaefae79ec9171025ed9295fda0511cc7d9fb6314b2339b7093c03cb6d6b4e8b1eebb

memory/2740-32-0x0000000000DB0000-0x0000000000E10000-memory.dmp

memory/2740-33-0x0000000140000000-0x0000000140237000-memory.dmp

memory/3004-38-0x0000000140000000-0x0000000140135000-memory.dmp

memory/2740-41-0x0000000000DB0000-0x0000000000E10000-memory.dmp

memory/2740-40-0x0000000000DB0000-0x0000000000E10000-memory.dmp

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe

MD5 940e34c430b9398df16516b57b3fc070
SHA1 d49307c5187fdeaa2d872c6e93698a45abd982a1
SHA256 443e297db4e83b43238217dd966114c1c2e3815a8e601bb5a88f6e7b6ff0dd70
SHA512 b444eef9fc74c1b68423de907fac5ae3a9739afc8cac9d94e9ad92efbfd8f1fec2fd3b77d28f13e607437ec967206d7d23d868d1e61cfbf3039b7ac687f7c46e

memory/536-46-0x0000000140000000-0x0000000140245000-memory.dmp

memory/536-45-0x0000000000890000-0x00000000008F0000-memory.dmp

memory/536-52-0x0000000000890000-0x00000000008F0000-memory.dmp

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

MD5 fc14b654f1f001b0505b67809090ecf0
SHA1 c07c0b2fad2066e5df64f168fc190799396d04e8
SHA256 d7d0785eeafd4b1d6625ff9a5208d366018cc58929e08e3c205b1847868ae858
SHA512 ca5c4a0abb5a74665bde03fd2141a16122f3f862bf22d90a8deab1ac6f30618f1c9accfde1025933a003709e75da93a506d27febe73da1d6d47f44aa6f085e76

memory/1988-57-0x0000000000400000-0x000000000085A000-memory.dmp

memory/3356-56-0x0000000000CD0000-0x0000000000D30000-memory.dmp

memory/3356-59-0x0000000140000000-0x0000000140209000-memory.dmp

memory/3356-65-0x0000000000CD0000-0x0000000000D30000-memory.dmp

memory/3356-68-0x0000000000CD0000-0x0000000000D30000-memory.dmp

memory/3356-71-0x0000000140000000-0x0000000140209000-memory.dmp

C:\Windows\System32\msdtc.exe

MD5 84b9d9ea8ec5f7ed64ba7fa1214fb4e7
SHA1 6509d93cb7a6f89e185ab2608098256d1b47e17f
SHA256 b1878878ab9110ca6d1665b05488432568fca530db41c6f8f6adc81d2a710218
SHA512 8d2aba46f6daf321215b93f0ae6143befc08304141c690cc830e54a72ff476020c1e5246e9ea9aa135b3b6a5eaa54c827d25a4375170a2e5ab6817518ed4e40a

memory/4360-73-0x0000000140000000-0x00000001401E9000-memory.dmp

memory/4336-74-0x0000000140000000-0x00000001401F8000-memory.dmp

C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

MD5 563502374c82a516d0aaa9f02b52cc62
SHA1 8b3cd7822d1535b78976a934ca9bd1dffaeb4591
SHA256 89dbe79a270f75d9e0f2063a35a49736c0e7d9095de4ad5c31cd3b440004a654
SHA512 c332bd57ae6ef207b0a6bbe48eddad6fa7042ed0d7d1cfb31171eae195854fd0bb37f3ad9a6408a2629eb772c373445b712c38b6e70f3e407473b0349c9fd79d

memory/4500-82-0x0000000140000000-0x00000001401E8000-memory.dmp

memory/4972-81-0x00000000007B0000-0x0000000000810000-memory.dmp

memory/4972-84-0x0000000140000000-0x000000014020E000-memory.dmp

memory/4972-89-0x00000000007B0000-0x0000000000810000-memory.dmp

C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

MD5 12e625ce948c2c30c8eb5c3c6e3c2e57
SHA1 09d845932ceb5f03c5775f9f346be1166e3fffaf
SHA256 31c50da6ef71870a16ae066364f7a6fc27165892dd43c1450782686269e9d546
SHA512 fd237431a78ddcd307997d63a5c9187ee0e32c935c340654db5199e9c228e2ae2e2cdaa19b63cf3768c73c89eb22c13a571e71729961d842af4fffb1643c89bb

memory/4552-93-0x0000000140000000-0x00000001401EA000-memory.dmp

memory/4552-94-0x0000000000780000-0x00000000007E0000-memory.dmp

memory/2740-101-0x0000000140000000-0x0000000140237000-memory.dmp

memory/4552-100-0x0000000000780000-0x00000000007E0000-memory.dmp

C:\Windows\SysWOW64\perfhost.exe

MD5 b5439382b94e26cd8d6e373315875032
SHA1 c133a47ec16af137625afc290d4c7d92f04a2210
SHA256 94c7fda08e16aa5efdf4490f64b91ed9101529355a6e8bbc784a7c3dcba04a6a
SHA512 524e9aa9fcef859fd25f3bb711b4a989f67c351c0d0fc49be445289783ed9d0599fcafba5fe22d6073ab87f3fcbea879c0af567b2ee5f3f3bb4c52ca2ce932b0

memory/3104-105-0x0000000000400000-0x00000000005D6000-memory.dmp

memory/3104-106-0x0000000000860000-0x00000000008C7000-memory.dmp

memory/3104-111-0x0000000000860000-0x00000000008C7000-memory.dmp

memory/536-113-0x0000000140000000-0x0000000140245000-memory.dmp

C:\Windows\System32\Locator.exe

MD5 dbcf58b221d5c6d84bfa956048d0eaab
SHA1 e1a196ccc8cd24efcae0eef29768d9e9543cd391
SHA256 378b1da77aef4fa13fd60f22f9a1cacb6d65c45b27e494b772bb5919a0a5be6c
SHA512 dcc19c04df95c82368024ca6dd5c9e4168a561a6308af36f21576f8b13b654bada2a226a1451e3d7a3c7429d421a9af47e0144a1da6b56c88ce726f0de9fe031

memory/3152-117-0x0000000140000000-0x00000001401D4000-memory.dmp

C:\Windows\System32\SensorDataService.exe

MD5 8a95fa77fdf537a717ef8cd424fa109f
SHA1 5d466da009e9bb1f83a443b146dec0b7e4600fb6
SHA256 232a26555e96a598a81273e4be2ec6d4e7d85072ba338ef1da9c8232bef4b617
SHA512 e01bc0cbbd656163fed31b3da64d0f738e3442bf23bff9e59cbeefa84844ac460008d87952f39e360628932dfed8db201514f011c22bc1f6b366f49742a8e22a

memory/2132-119-0x0000000140000000-0x00000001401D7000-memory.dmp

C:\Windows\System32\snmptrap.exe

MD5 928c17fc8a98463946aafc110c0175a2
SHA1 97220559019671ad992492f7a6b7ee7213d360e4
SHA256 93e16e201eb174850a8a0daa064113e7b241e7c2bc960096fc91a4ef832bb956
SHA512 5f64017b4c8f2221f1d007bbcd60edd227557132be80c0a9681fc7517abbc125d35fc4e1fe0db2fa8d3549105f3bfc0dae80fe8f3b4343a814f53697dd764799

memory/4924-123-0x0000000140000000-0x00000001401D5000-memory.dmp

C:\Windows\System32\Spectrum.exe

MD5 f3c7c44491f0927264944696495cd768
SHA1 e18716f79cf9a9a42f102f38e1b29d4557c7c982
SHA256 a52255afc598081b022569facd0b76437f6257f885e71ba5ba1d9e8a1d672ed4
SHA512 f58af8c998787a799754dd190c47358ee9c387929bf0d0235f7e6349349dd0eb95f2cea07bfc1bae846b5e0e760f5d2ae335fcb7310740328a4f5fc8866fa954

memory/3356-127-0x0000000140000000-0x0000000140169000-memory.dmp

memory/4972-135-0x0000000140000000-0x000000014020E000-memory.dmp

memory/3356-136-0x00000000006E0000-0x0000000000740000-memory.dmp

C:\Windows\System32\OpenSSH\ssh-agent.exe

MD5 0b07addd6dc29a6e8f49fb266348b59f
SHA1 0cc598b1aca846023dd012c8bda84efcf95c5451
SHA256 05496c847793e2b98b66e67e13df2549b472c3878e6160b5665e2627f1f9cffa
SHA512 f7330d87da8d87e76074734abfb0808377e501b807fa8b4018230e808e4711cf545812757b558f0668ca3657dd8ce53c861929dff848413d54d7acbf7f5d29b7

memory/4232-140-0x0000000140000000-0x0000000140241000-memory.dmp

memory/4552-148-0x0000000140000000-0x00000001401EA000-memory.dmp

memory/4232-150-0x0000000000510000-0x0000000000570000-memory.dmp

C:\Windows\System32\TieringEngineService.exe

MD5 cce562c8ef4ebbd9dd0ddb36b439dd9a
SHA1 25bbff875b80188f6a40bb3f3ddc890339ff489d
SHA256 cf0269c34cd1833cacacc2cfc659ceae76cc8b0e80763691e6bed5b3f22a164c
SHA512 72027c240177cdb5471aa2912d2c6aed1e442c1ba90c30d982acf3519e5fca0d3c51a2e5524190f899f595b9e57bee5d93f17e5de9b2779aa2a1439ad3c828ad

memory/2244-153-0x0000000140000000-0x0000000140221000-memory.dmp

C:\Windows\System32\AgentService.exe

MD5 bf5868ea3057e87bc87ce6c70f213e1d
SHA1 9d5c9588966736daf92a65e1e4c0bd3ef52d83ca
SHA256 13a6f2b8435fe9ca660bc335867f577e7ece11282ec93366b0013eb7bc43919d
SHA512 4b696ce650f63db10d9599c2b7d5e71c1042af59141a66e24d2080bb516a31d71ecb50659df6b1a77c7532593e566a22baa1185dd49c020d6ef811371940dc2b

memory/3104-156-0x0000000000400000-0x00000000005D6000-memory.dmp

memory/3092-157-0x0000000140000000-0x00000001401C0000-memory.dmp

memory/3092-159-0x0000000140000000-0x00000001401C0000-memory.dmp

C:\Windows\System32\vds.exe

MD5 7a7c17fd3347aa0d8e353391888e1096
SHA1 8be381391fa2dda55caf6cfc33e55c1f8724c161
SHA256 b8d5e578cec88c175ce7ce8655289b840d0fbceb84831d6afc3161c7f54fdde7
SHA512 8230344549d4799f5acac0366ee3f2aaa198b2322d613179cdae1c1d1e022583a3b90e7047bf11a1c66ff37deb25b5c39c61cbf647c0ca3af0df4665e627623f

memory/372-162-0x0000000140000000-0x0000000140147000-memory.dmp

C:\Windows\System32\VSSVC.exe

MD5 9a561da3a643de8ad2697cd8fe0552e7
SHA1 0b7a44e9dc4212e2a839a65d820af0c63ac8de9d
SHA256 49679178ee953b66d31a4598c90e36f90c1fa2b72176e1adb9741715f564c0c8
SHA512 45e79bc89806839f069fb9178a1c4894dcd8b60501ef09e04c2c293e383873c32987ffb6a12d41c00b1c033e839eaddede16097381aea37483a0b0b3a8050438

memory/5152-164-0x0000000140000000-0x00000001401FC000-memory.dmp

C:\Windows\System32\wbengine.exe

MD5 6c8f9356b9e16ff3a3c4113127ea9404
SHA1 cae7126a53ee594bb3f102dc31e63f5744749ea0
SHA256 173e2fcd7822361b9cea5d1ee6c26bcc7d109d1bd744c0f8ed9ab0f43f35bcdd
SHA512 51a0a35d92c7502448bf77464c0913dc9d9859573773af718a062b312448c78660bc94c0aced9d34967cadf9ecb4c909cf839ab30437692fad29c61ea745896b

memory/2132-167-0x0000000140000000-0x00000001401D7000-memory.dmp

memory/5228-168-0x0000000140000000-0x0000000140216000-memory.dmp

C:\Windows\System32\wbem\WmiApSrv.exe

MD5 37b2d2c1f6897e7a5b22f5bfc83a7ac8
SHA1 f912c77fb1872f1706d5ca058ca7be213971e096
SHA256 706fde6bc6910f0e9b433a340154e947bce72951181edab7113d2a68d4d24310
SHA512 04da41ad2307fcac51d2a4d46cf686c7fa4fa742ba5e42cc07b4a1680fc116ce4c3b155ac23e270f2d937b8531a5452d3674e4222fd6068c90c62528711c168a

memory/4924-172-0x0000000140000000-0x00000001401D5000-memory.dmp

memory/5320-174-0x0000000140000000-0x0000000140205000-memory.dmp

C:\Windows\System32\SearchIndexer.exe

MD5 7bc9a02582122be9514496ffa2c52e47
SHA1 4c02dbeeed17165b70187893efca17098b50d24e
SHA256 659bb3b0f3c14613d89bbc240ac7ebc36a876afe6a8362eb35a10c3d7e55792e
SHA512 40e95887fb40ad84db9934251fb0ea95d635234099fc2e340ac38517657887e47179bd79c7b59a45b279fe450ebb0c13770847ec63dbab87e24f6ee5425969a8

memory/3356-176-0x0000000140000000-0x0000000140169000-memory.dmp

memory/5380-177-0x0000000140000000-0x0000000140179000-memory.dmp

memory/4232-245-0x0000000140000000-0x0000000140241000-memory.dmp

memory/2132-246-0x0000000140000000-0x00000001401D7000-memory.dmp

memory/2244-247-0x0000000140000000-0x0000000140221000-memory.dmp

memory/372-251-0x0000000140000000-0x0000000140147000-memory.dmp

memory/5152-253-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/5228-262-0x0000000140000000-0x0000000140216000-memory.dmp

memory/5320-264-0x0000000140000000-0x0000000140205000-memory.dmp

memory/5380-268-0x0000000140000000-0x0000000140179000-memory.dmp

memory/5708-381-0x00000170BB210000-0x00000170BB220000-memory.dmp

memory/5708-382-0x00000170BB220000-0x00000170BB230000-memory.dmp

memory/5708-387-0x00000170BB210000-0x00000170BB220000-memory.dmp

memory/5708-388-0x00000170BB230000-0x00000170BB231000-memory.dmp

memory/5708-397-0x00000170BB250000-0x00000170BB260000-memory.dmp

memory/5708-396-0x00000170BB210000-0x00000170BB220000-memory.dmp