Analysis Overview
SHA256
aac3b7d99fda6f1f5bb0c48cb147fcda1694c67d0955db3e0c855f8245c40e85
Threat Level: Shows suspicious behavior
The file 2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Checks installed software on the system
Drops file in System32 directory
Drops file in Program Files directory
Drops file in Windows directory
Enumerates physical storage devices
Unsigned PE
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Checks processor information in registry
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Suspicious behavior: LoadsDriver
Uses Volume Shadow Copy service COM API
Suspicious use of AdjustPrivilegeToken
Modifies data under HKEY_USERS
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-07 17:52
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-07 17:52
Reported
2024-04-07 17:54
Platform
win7-20240221-en
Max time kernel
48s
Max time network
151s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\System32\alg.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| N/A | N/A | C:\Windows\system32\dllhost.exe | N/A |
| N/A | N/A | C:\Windows\ehome\ehRecvr.exe | N/A |
| N/A | N/A | C:\Windows\ehome\ehsched.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| N/A | N/A | C:\Windows\system32\IEEtwCollector.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks installed software on the system
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Roaming\4510063f78a61a12.bin | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Windows\system32\dllhost.exe | C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe | N/A |
| File opened for modification | C:\Windows\system32\fxssvc.exe | C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe | N/A |
| File opened for modification | C:\Windows\system32\IEEtwCollector.exe | C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe | N/A |
| File opened for modification | C:\Windows\System32\alg.exe | C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat | C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{88EAB8A4-EFFC-434B-9DD5-CB32003FDBE9}.crmlog | C:\Windows\system32\dllhost.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\ehome\ehsched.exe | C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe | C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe | C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\Microsoft.NET\ngennicupdatelock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\ehome\ehRecvr.exe | C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe | N/A |
| File created | C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{88EAB8A4-EFFC-434B-9DD5-CB32003FDBE9}.crmlog | C:\Windows\system32\dllhost.exe | N/A |
| File created | C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock | C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe | C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log | C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7" | C:\Windows\ehome\ehRecvr.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit | C:\Windows\ehome\ehRecvr.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Windows\ehome\ehRecvr.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft | C:\Windows\ehome\ehRecvr.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie | C:\Windows\ehome\ehRecvr.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit | C:\Windows\ehome\ehRecvr.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1280 wrote to memory of 1784 | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe |
| PID 1280 wrote to memory of 1784 | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe |
| PID 1280 wrote to memory of 1784 | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe |
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe"
C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 244 -NGENProcess 22c -Pipe 240 -Comment "NGen Worker Process"
C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 584 588 596 65536 592
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 1c8 -NGENProcess 1d8 -Pipe 1dc -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 1c8 -NGENProcess 1d8 -Pipe 1e0 -Comment "NGen Worker Process"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api2.amplitude.com | udp |
| US | 52.41.122.210:443 | api2.amplitude.com | tcp |
| US | 8.8.8.8:53 | pywolwnvd.biz | udp |
| US | 8.8.8.8:53 | pywolwnvd.biz | udp |
| US | 8.8.8.8:53 | ssbzmoy.biz | udp |
| ID | 34.128.82.12:80 | ssbzmoy.biz | tcp |
| US | 8.8.8.8:53 | ssbzmoy.biz | udp |
| ID | 34.128.82.12:80 | ssbzmoy.biz | tcp |
| US | 8.8.8.8:53 | cvgrf.biz | udp |
| US | 104.198.2.251:80 | cvgrf.biz | tcp |
| US | 8.8.8.8:53 | cvgrf.biz | udp |
| US | 104.198.2.251:80 | cvgrf.biz | tcp |
| US | 8.8.8.8:53 | npukfztj.biz | udp |
| US | 34.174.61.199:80 | npukfztj.biz | tcp |
| US | 8.8.8.8:53 | npukfztj.biz | udp |
| US | 34.174.61.199:80 | npukfztj.biz | tcp |
| US | 8.8.8.8:53 | przvgke.biz | udp |
| US | 72.52.178.23:80 | przvgke.biz | tcp |
| US | 8.8.8.8:53 | przvgke.biz | udp |
| US | 72.52.178.23:80 | przvgke.biz | tcp |
| US | 72.52.178.23:80 | przvgke.biz | tcp |
| US | 72.52.178.23:80 | przvgke.biz | tcp |
| US | 8.8.8.8:53 | zlenh.biz | udp |
| US | 8.8.8.8:53 | knjghuig.biz | udp |
| ID | 34.128.82.12:80 | knjghuig.biz | tcp |
| US | 8.8.8.8:53 | zlenh.biz | udp |
| US | 8.8.8.8:53 | knjghuig.biz | udp |
| ID | 34.128.82.12:80 | knjghuig.biz | tcp |
| US | 8.8.8.8:53 | uhxqin.biz | udp |
| US | 8.8.8.8:53 | anpmnmxo.biz | udp |
| US | 8.8.8.8:53 | lpuegx.biz | udp |
| RU | 82.112.184.197:80 | lpuegx.biz | tcp |
| US | 8.8.8.8:53 | uhxqin.biz | udp |
| US | 8.8.8.8:53 | anpmnmxo.biz | udp |
| US | 8.8.8.8:53 | lpuegx.biz | udp |
| RU | 82.112.184.197:80 | lpuegx.biz | tcp |
| RU | 82.112.184.197:80 | lpuegx.biz | tcp |
| RU | 82.112.184.197:80 | lpuegx.biz | tcp |
| US | 8.8.8.8:53 | vjaxhpbji.biz | udp |
| RU | 82.112.184.197:80 | vjaxhpbji.biz | tcp |
| US | 8.8.8.8:53 | vjaxhpbji.biz | udp |
| RU | 82.112.184.197:80 | vjaxhpbji.biz | tcp |
| RU | 82.112.184.197:80 | vjaxhpbji.biz | tcp |
| RU | 82.112.184.197:80 | vjaxhpbji.biz | tcp |
| US | 8.8.8.8:53 | xlfhhhm.biz | udp |
| US | 34.29.71.138:80 | xlfhhhm.biz | tcp |
| US | 8.8.8.8:53 | xlfhhhm.biz | udp |
| US | 34.29.71.138:80 | xlfhhhm.biz | tcp |
| US | 8.8.8.8:53 | ifsaia.biz | udp |
| SG | 34.143.166.163:80 | ifsaia.biz | tcp |
| US | 8.8.8.8:53 | ifsaia.biz | udp |
| SG | 34.143.166.163:80 | ifsaia.biz | tcp |
| US | 8.8.8.8:53 | saytjshyf.biz | udp |
| US | 34.67.9.172:80 | saytjshyf.biz | tcp |
| US | 8.8.8.8:53 | vcddkls.biz | udp |
| ID | 34.128.82.12:80 | vcddkls.biz | tcp |
| US | 8.8.8.8:53 | saytjshyf.biz | udp |
| US | 34.67.9.172:80 | saytjshyf.biz | tcp |
| US | 8.8.8.8:53 | vcddkls.biz | udp |
| ID | 34.128.82.12:80 | vcddkls.biz | tcp |
| US | 8.8.8.8:53 | fwiwk.biz | udp |
| US | 67.225.218.6:80 | fwiwk.biz | tcp |
| US | 67.225.218.6:80 | fwiwk.biz | tcp |
| US | 8.8.8.8:53 | fwiwk.biz | udp |
| US | 67.225.218.6:80 | fwiwk.biz | tcp |
| US | 8.8.8.8:53 | tbjrpv.biz | udp |
| NL | 34.91.32.224:80 | tbjrpv.biz | tcp |
| US | 67.225.218.6:80 | fwiwk.biz | tcp |
| US | 8.8.8.8:53 | deoci.biz | udp |
| US | 34.174.78.212:80 | deoci.biz | tcp |
| US | 8.8.8.8:53 | tbjrpv.biz | udp |
| NL | 34.91.32.224:80 | tbjrpv.biz | tcp |
| US | 8.8.8.8:53 | gytujflc.biz | udp |
| US | 208.100.26.245:80 | gytujflc.biz | tcp |
| US | 8.8.8.8:53 | deoci.biz | udp |
| US | 34.174.78.212:80 | deoci.biz | tcp |
| US | 8.8.8.8:53 | qaynky.biz | udp |
| US | 8.8.8.8:53 | gytujflc.biz | udp |
| US | 208.100.26.245:80 | gytujflc.biz | tcp |
| SG | 34.143.166.163:80 | qaynky.biz | tcp |
| US | 8.8.8.8:53 | qaynky.biz | udp |
| SG | 34.143.166.163:80 | qaynky.biz | tcp |
| US | 8.8.8.8:53 | bumxkqgxu.biz | udp |
| US | 34.174.61.199:80 | bumxkqgxu.biz | tcp |
| US | 8.8.8.8:53 | dwrqljrr.biz | udp |
| US | 34.41.229.245:80 | dwrqljrr.biz | tcp |
| US | 8.8.8.8:53 | bumxkqgxu.biz | udp |
| US | 34.174.61.199:80 | bumxkqgxu.biz | tcp |
| US | 8.8.8.8:53 | dwrqljrr.biz | udp |
| US | 34.41.229.245:80 | dwrqljrr.biz | tcp |
| US | 8.8.8.8:53 | nqwjmb.biz | udp |
| US | 8.8.8.8:53 | ytctnunms.biz | udp |
| US | 34.174.206.7:80 | ytctnunms.biz | tcp |
| US | 8.8.8.8:53 | ytctnunms.biz | udp |
| US | 8.8.8.8:53 | myups.biz | udp |
| US | 34.174.206.7:80 | ytctnunms.biz | tcp |
| US | 165.160.15.20:80 | myups.biz | tcp |
| US | 8.8.8.8:53 | myups.biz | udp |
| US | 165.160.13.20:80 | myups.biz | tcp |
| US | 8.8.8.8:53 | oshhkdluh.biz | udp |
| US | 34.41.229.245:80 | oshhkdluh.biz | tcp |
| US | 8.8.8.8:53 | oshhkdluh.biz | udp |
| US | 34.41.229.245:80 | oshhkdluh.biz | tcp |
| US | 8.8.8.8:53 | yunalwv.biz | udp |
| US | 8.8.8.8:53 | jpskm.biz | udp |
| US | 8.8.8.8:53 | lrxdmhrr.biz | udp |
| US | 34.41.229.245:80 | lrxdmhrr.biz | tcp |
| US | 8.8.8.8:53 | wllvnzb.biz | udp |
| ID | 34.128.82.12:80 | wllvnzb.biz | tcp |
| US | 8.8.8.8:53 | gnqgo.biz | udp |
| US | 34.174.78.212:80 | gnqgo.biz | tcp |
| US | 8.8.8.8:53 | jhvzpcfg.biz | udp |
| US | 34.67.9.172:80 | jhvzpcfg.biz | tcp |
| US | 8.8.8.8:53 | acwjcqqv.biz | udp |
| ID | 34.128.82.12:80 | acwjcqqv.biz | tcp |
| US | 8.8.8.8:53 | lejtdj.biz | udp |
| US | 8.8.8.8:53 | vyome.biz | udp |
| US | 8.8.8.8:53 | yunalwv.biz | udp |
| US | 8.8.8.8:53 | jpskm.biz | udp |
| US | 8.8.8.8:53 | yauexmxk.biz | udp |
| US | 34.174.78.212:80 | yauexmxk.biz | tcp |
| US | 8.8.8.8:53 | iuzpxe.biz | udp |
| SG | 34.143.166.163:80 | iuzpxe.biz | tcp |
| US | 8.8.8.8:53 | lrxdmhrr.biz | udp |
| US | 34.41.229.245:80 | lrxdmhrr.biz | tcp |
| US | 8.8.8.8:53 | wllvnzb.biz | udp |
| ID | 34.128.82.12:80 | wllvnzb.biz | tcp |
| US | 8.8.8.8:53 | sxmiywsfv.biz | udp |
| SG | 34.143.166.163:80 | sxmiywsfv.biz | tcp |
| US | 8.8.8.8:53 | gnqgo.biz | udp |
| US | 34.174.78.212:80 | gnqgo.biz | tcp |
| US | 8.8.8.8:53 | vrrazpdh.biz | udp |
| US | 34.168.225.46:80 | vrrazpdh.biz | tcp |
| US | 8.8.8.8:53 | jhvzpcfg.biz | udp |
| US | 34.67.9.172:80 | jhvzpcfg.biz | tcp |
| US | 8.8.8.8:53 | acwjcqqv.biz | udp |
| US | 8.8.8.8:53 | ftxlah.biz | udp |
| ID | 34.128.82.12:80 | acwjcqqv.biz | tcp |
| US | 104.155.138.21:80 | ftxlah.biz | tcp |
| US | 8.8.8.8:53 | lejtdj.biz | udp |
| US | 8.8.8.8:53 | vyome.biz | udp |
| US | 8.8.8.8:53 | yauexmxk.biz | udp |
| US | 34.174.78.212:80 | yauexmxk.biz | tcp |
| US | 8.8.8.8:53 | iuzpxe.biz | udp |
| SG | 34.143.166.163:80 | iuzpxe.biz | tcp |
| US | 8.8.8.8:53 | typgfhb.biz | udp |
| SG | 34.143.166.163:80 | typgfhb.biz | tcp |
| US | 8.8.8.8:53 | sxmiywsfv.biz | udp |
| SG | 34.143.166.163:80 | sxmiywsfv.biz | tcp |
| US | 8.8.8.8:53 | esuzf.biz | udp |
| US | 34.168.225.46:80 | esuzf.biz | tcp |
| US | 8.8.8.8:53 | vrrazpdh.biz | udp |
| US | 8.8.8.8:53 | gvijgjwkh.biz | udp |
| US | 34.168.225.46:80 | vrrazpdh.biz | tcp |
| US | 34.174.206.7:80 | gvijgjwkh.biz | tcp |
| US | 8.8.8.8:53 | qpnczch.biz | udp |
| US | 8.8.8.8:53 | ftxlah.biz | udp |
| US | 104.155.138.21:80 | ftxlah.biz | tcp |
| US | 34.162.170.92:80 | qpnczch.biz | tcp |
| US | 8.8.8.8:53 | brsua.biz | udp |
| US | 8.8.8.8:53 | typgfhb.biz | udp |
| NL | 35.204.181.10:80 | brsua.biz | tcp |
| SG | 34.143.166.163:80 | typgfhb.biz | tcp |
| US | 8.8.8.8:53 | dlynankz.biz | udp |
| DE | 85.214.228.140:80 | dlynankz.biz | tcp |
| US | 8.8.8.8:53 | oflybfv.biz | udp |
| US | 34.29.71.138:80 | oflybfv.biz | tcp |
| US | 8.8.8.8:53 | yhqqc.biz | udp |
| US | 34.168.225.46:80 | yhqqc.biz | tcp |
| US | 8.8.8.8:53 | esuzf.biz | udp |
| US | 34.168.225.46:80 | esuzf.biz | tcp |
| US | 8.8.8.8:53 | mnjmhp.biz | udp |
| US | 34.29.71.138:80 | mnjmhp.biz | tcp |
| US | 8.8.8.8:53 | gvijgjwkh.biz | udp |
| US | 34.174.206.7:80 | gvijgjwkh.biz | tcp |
| US | 8.8.8.8:53 | opowhhece.biz | udp |
| US | 34.29.71.138:80 | opowhhece.biz | tcp |
| US | 8.8.8.8:53 | qpnczch.biz | udp |
| US | 34.162.170.92:80 | qpnczch.biz | tcp |
| US | 8.8.8.8:53 | brsua.biz | udp |
| NL | 35.204.181.10:80 | brsua.biz | tcp |
| US | 8.8.8.8:53 | dlynankz.biz | udp |
| DE | 85.214.228.140:80 | dlynankz.biz | tcp |
| US | 8.8.8.8:53 | oflybfv.biz | udp |
| US | 8.8.8.8:53 | yhqqc.biz | udp |
| US | 34.168.225.46:80 | yhqqc.biz | tcp |
| US | 8.8.8.8:53 | zjbpaao.biz | udp |
| US | 8.8.8.8:53 | jdhhbs.biz | udp |
| SG | 34.143.166.163:80 | jdhhbs.biz | tcp |
| US | 8.8.8.8:53 | mnjmhp.biz | udp |
| US | 34.29.71.138:80 | mnjmhp.biz | tcp |
| US | 8.8.8.8:53 | opowhhece.biz | udp |
| US | 8.8.8.8:53 | mgmsclkyu.biz | udp |
| US | 34.29.71.138:80 | opowhhece.biz | tcp |
| NL | 34.91.32.224:80 | mgmsclkyu.biz | tcp |
| US | 8.8.8.8:53 | warkcdu.biz | udp |
| US | 8.8.8.8:53 | zjbpaao.biz | udp |
| ID | 34.128.82.12:80 | warkcdu.biz | tcp |
| US | 8.8.8.8:53 | jdhhbs.biz | udp |
| SG | 34.143.166.163:80 | jdhhbs.biz | tcp |
| US | 8.8.8.8:53 | gcedd.biz | udp |
| SG | 34.143.166.163:80 | gcedd.biz | tcp |
| US | 8.8.8.8:53 | mgmsclkyu.biz | udp |
| NL | 34.91.32.224:80 | mgmsclkyu.biz | tcp |
| US | 8.8.8.8:53 | warkcdu.biz | udp |
| ID | 34.128.82.12:80 | warkcdu.biz | tcp |
| US | 8.8.8.8:53 | jwkoeoqns.biz | udp |
| US | 34.41.229.245:80 | jwkoeoqns.biz | tcp |
| US | 8.8.8.8:53 | gcedd.biz | udp |
| SG | 34.143.166.163:80 | gcedd.biz | tcp |
| US | 8.8.8.8:53 | xccjj.biz | udp |
| US | 34.162.170.92:80 | xccjj.biz | tcp |
| US | 8.8.8.8:53 | hehckyov.biz | udp |
| US | 34.174.61.199:80 | hehckyov.biz | tcp |
| US | 8.8.8.8:53 | rynmcq.biz | udp |
| US | 8.8.8.8:53 | jwkoeoqns.biz | udp |
| US | 34.41.229.245:80 | jwkoeoqns.biz | tcp |
| US | 8.8.8.8:53 | xccjj.biz | udp |
| US | 34.162.170.92:80 | xccjj.biz | tcp |
| US | 8.8.8.8:53 | hehckyov.biz | udp |
| US | 34.174.61.199:80 | hehckyov.biz | tcp |
| US | 8.8.8.8:53 | rynmcq.biz | udp |
| US | 8.8.8.8:53 | uaafd.biz | udp |
| NL | 35.204.181.10:80 | uaafd.biz | tcp |
| US | 8.8.8.8:53 | eufxebus.biz | udp |
| ID | 34.128.82.12:80 | eufxebus.biz | tcp |
Files
memory/2988-0-0x0000000000860000-0x00000000008C7000-memory.dmp
memory/2988-1-0x0000000000400000-0x000000000085A000-memory.dmp
memory/2988-7-0x0000000000860000-0x00000000008C7000-memory.dmp
memory/2988-6-0x0000000000860000-0x00000000008C7000-memory.dmp
\Windows\System32\alg.exe
| MD5 | be7b2ca1f615c157dcdcdada2c6ffa8b |
| SHA1 | 6c51035b468bf4ab11deea95a78c648ad8542add |
| SHA256 | a69d5661e47a305cb21ff2c2887cf5d7a832a592efa574293a5ab6828670cacf |
| SHA512 | 5b10aed5baf8b15f58657fa3eb085558be3d1c648feebb9c841ca29487e38c3fdd0a35dd60900de4b5ec245e674447ef5e16afafc652ba4fcb455171c5de4c28 |
memory/2068-13-0x0000000100000000-0x00000001001E3000-memory.dmp
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
| MD5 | bdf66db218c96d077ab69d078e4e616d |
| SHA1 | 1f30f3657c2fdb923c34f01a24188fd70bec1ba7 |
| SHA256 | f86ec08f05aecb70c2613901839203f433893342c7c5e7a08c9ec76fe0f05d5c |
| SHA512 | 922eedae987ec9d1e7bf33aa11ce21e8e0f677548367fd997a539bf0590530c161ea0a446f7debc342712a1b56c5ef2b4cc18d4c143094fef253abf139d6dddd |
memory/2628-17-0x0000000140000000-0x00000001401DC000-memory.dmp
memory/2628-18-0x00000000005D0000-0x0000000000630000-memory.dmp
memory/2628-25-0x00000000005D0000-0x0000000000630000-memory.dmp
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
| MD5 | eb89a13b297b78e64b248a1dfb0280df |
| SHA1 | 0757422830a81656d4aa6e241520ab62b3157e90 |
| SHA256 | ccc49933ae7ac16e5e48edc4759cf66e130f8bf8cd7d5cd11c18473e98ed74a5 |
| SHA512 | c4b41b52df3e269950058124fc2a0286bbc74b087c3fab244fb72bd0db8cfe94b9811944d515519c6ca475ae4965966f49b6aff05df96f0aa1eb720e5bba3afd |
memory/2696-30-0x0000000010000000-0x00000000101DE000-memory.dmp
memory/2696-31-0x00000000004D0000-0x0000000000537000-memory.dmp
memory/2696-37-0x00000000004D0000-0x0000000000537000-memory.dmp
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
| MD5 | 22e78101544223fdf88347a4eb36c31a |
| SHA1 | 7de9f62ff9acab6f305137b79d1b49c74c517635 |
| SHA256 | a5e77f51d36fb86c81077e06dc54a416549f409b53a65051813d5b936e74c045 |
| SHA512 | ba5b97a0570fec9b68e9a27cbd342c22d3d363f2130514394bc44df8fadce625f155c23a1dbfbca3d9c1fddb28f83c51f8fdba513c6137c30f3a3068634ceea9 |
memory/2420-47-0x0000000010000000-0x00000000101E6000-memory.dmp
memory/2420-48-0x0000000000710000-0x0000000000770000-memory.dmp
memory/2420-54-0x0000000000710000-0x0000000000770000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 29f65ba8e88c063813cc50a4ea544e93 |
| SHA1 | 05a7040d5c127e68c25d81cc51271ffb8bef3568 |
| SHA256 | 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184 |
| SHA512 | e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa |
C:\Users\Admin\AppData\Local\Temp\Tar176E.tmp
| MD5 | 435a9ac180383f9fa094131b173a2f7b |
| SHA1 | 76944ea657a9db94f9a4bef38f88c46ed4166983 |
| SHA256 | 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34 |
| SHA512 | 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a |
memory/2988-93-0x0000000003A80000-0x0000000003A81000-memory.dmp
memory/2988-94-0x0000000000400000-0x000000000085A000-memory.dmp
memory/2068-95-0x0000000100000000-0x00000001001E3000-memory.dmp
memory/2628-96-0x0000000140000000-0x00000001401DC000-memory.dmp
memory/2696-97-0x0000000010000000-0x00000000101DE000-memory.dmp
memory/2420-98-0x0000000010000000-0x00000000101E6000-memory.dmp
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log
| MD5 | f96aeb54538753c7e679318ecaff0289 |
| SHA1 | 910d76a6f6e705310d3cbd2f997259653fe90dc2 |
| SHA256 | 5ebd1f160a600159af6d5b479adff3a2980931edbc0a0a979f8471e862d32510 |
| SHA512 | a896ccd0f2fb9a55ead32b022a8d005472868cba79e0fa4b6134c8ed9ef02a7d9e69d8920dc129a43585534acc96907cb12e8f425e054fbf73302d7b2a9df029 |
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
| MD5 | 1f85a1ae87dc0bc52160ded190803b7d |
| SHA1 | f4b11762d769d2ef3fb640ac47597a7a35a8c817 |
| SHA256 | a6f45d6b647f0d254677b48dc4977b295c0ef9cc4eedc5323ddf8781ecd6f675 |
| SHA512 | cac97a125cd7ce4387185b3e33ba5d0c0c58c96cb72459b0c949f060bba34ed4f923a6c426dbd91a061ae208fd3d73c4c12df504d832e991855e4d7c7cb6d870 |
memory/2484-105-0x00000000002C0000-0x0000000000327000-memory.dmp
memory/2484-107-0x0000000000400000-0x00000000005E7000-memory.dmp
memory/2484-111-0x00000000002C0000-0x0000000000327000-memory.dmp
memory/1280-118-0x0000000000420000-0x0000000000480000-memory.dmp
memory/1280-120-0x0000000140000000-0x00000001401ED000-memory.dmp
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
| MD5 | 3a9cf37a930c597ca60a68422e27dc3a |
| SHA1 | 23d0ffde5eee79f57713100ecf09906a80cf724c |
| SHA256 | a431aa0cec35c35eb7cde6894270ea7deec868e071659f561d5a958a5ca2c476 |
| SHA512 | 0a2be229aed783b362bc071a3c5f7d1bac5722f0f71772ddec7fbe9f69d26fbabc01c2c2b9d662771251bfdfe50d355e2d1e4633e0683758c76b582090195ad8 |
memory/1280-126-0x0000000000420000-0x0000000000480000-memory.dmp
\Windows\System32\dllhost.exe
| MD5 | dc62eacfe3ef3ebee93cac18ff36b3cb |
| SHA1 | ae52f899be1c6b0443b341fe9e3b958e4800f194 |
| SHA256 | 6a4bdf4c4f02b4015422db8273aaee9eb3c6c1b52387757b7f3ed30e26be762d |
| SHA512 | 4584f99e1cdc62e4e888a15474a77d902b1dfbc1b3a44b2eb19f0a9ab817b11c9507dfe0cb2d85964332a3d6e076f9e15705809cfafbc015606dbe4d775ae47b |
memory/1684-135-0x00000000002D0000-0x0000000000330000-memory.dmp
memory/1684-137-0x0000000100000000-0x00000001001D4000-memory.dmp
memory/1684-142-0x00000000002D0000-0x0000000000330000-memory.dmp
\Windows\ehome\ehrecvr.exe
| MD5 | e3ce4fadf29f2fda97a934a6a866d7b0 |
| SHA1 | 12a70db7931c36261c3ef04a01d60a5052f82b7c |
| SHA256 | b60fe081fdd246649cb9547e9f5e72ff54e06675177d58e1ff6fd5c6ee0fed6f |
| SHA512 | 91782cf1a5f2780143752cce9afa40101f42eaf47a402f28f4a77d664129d3ba2e15dd5e3e2e9d4d33ca6abc33d84d5aa0437670740211d30cdc4b9a795e7de3 |
memory/1484-148-0x0000000000A80000-0x0000000000AE0000-memory.dmp
memory/1484-149-0x0000000140000000-0x000000014013C000-memory.dmp
memory/1484-156-0x0000000000A80000-0x0000000000AE0000-memory.dmp
\Windows\ehome\ehsched.exe
| MD5 | 5929993209ccb7f96975f6681208b536 |
| SHA1 | df8a7efb40d77289f046bc9f361fdf515a491907 |
| SHA256 | 4ec68772f24ca2fc3726afa0a02a4ae3a512c61801417a56842ee2fc14def35d |
| SHA512 | 6e1c5e5c40bd0f2c153a324e47bac9e745e0ea891cf1be15e5fb4cbc3758b11a1bb05960e10f16097189283b85f8c413a5579388fe96d0dcbed99976dc3ef9e3 |
memory/548-163-0x0000000140000000-0x00000001401F1000-memory.dmp
memory/548-169-0x0000000000B80000-0x0000000000BE0000-memory.dmp
memory/2484-176-0x0000000000400000-0x00000000005E7000-memory.dmp
memory/1484-177-0x0000000001A30000-0x0000000001A31000-memory.dmp
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
| MD5 | 1d0087efe3b8d422e0da053368933d8a |
| SHA1 | b307d256afc31057ea62dd7d813bf08f71b7549f |
| SHA256 | ca9c8909d9a46ac693f86edfdb53c6ac125f55416380d519a50c5d49ca0b52fe |
| SHA512 | 9a42841c05a113f1b96ac70ce205c293ca7cebe5a6af70f813cf5b05f44af4dab483d26c958a8f3dcef670909dcaa335c4ed5a19bc5338c5ba8316733d8691cb |
memory/2128-182-0x0000000140000000-0x0000000140237000-memory.dmp
memory/1280-188-0x0000000140000000-0x00000001401ED000-memory.dmp
memory/2128-190-0x00000000001E0000-0x0000000000240000-memory.dmp
memory/1784-193-0x0000000140000000-0x00000001401ED000-memory.dmp
C:\Windows\System32\ieetwcollector.exe
| MD5 | e4748fa873698bbd6b6edb94b370095e |
| SHA1 | d3dbd5e108fbcb47c3285dcaca49ca40f9a2cdbd |
| SHA256 | 6e165a97e540b1a3e59b7e864ac64913a3acd3d24122de823206b3d56f00d982 |
| SHA512 | 0ba31b5583ffad488dac677ad5acbb84423bc9210d86e83de6bfd3806730de5419689c55b84cd851bd1c6b39fadf26272993831a209dc127a5007c74b33163e6 |
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
| MD5 | 77454098de522d8ffe3a994b0c0b37bf |
| SHA1 | abe2bbfc541287210542f4add9e78f117ab1cc3a |
| SHA256 | b0c6cb21ca7329b2e57d7efbdfba4d9b31a0d8f0e86d2b7fbbc06ed6a42897a2 |
| SHA512 | e527b038908298e23b2f3f0fb40f65c82feac03cab13ab954c6f22eed1362ee26a74bc95d6bb8ae4432f19b2933b487f6dbab26b1d32c1c7a96d0b0fe5fd17fe |
memory/1684-201-0x0000000100000000-0x00000001001D4000-memory.dmp
memory/1596-206-0x0000000140000000-0x00000001401ED000-memory.dmp
memory/2332-214-0x000000002E000000-0x000000002FE1E000-memory.dmp
memory/1784-216-0x0000000000410000-0x0000000000470000-memory.dmp
memory/1484-218-0x0000000140000000-0x000000014013C000-memory.dmp
memory/2332-217-0x0000000000540000-0x00000000005A7000-memory.dmp
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
| MD5 | 1e04153b52f699d7de613e3159082681 |
| SHA1 | c58a4ce171b85c21ab54b89f4cb33be6013c83ec |
| SHA256 | 357711d8cb72ffbe7f7fc2619f486b38ab08d0626ba031fef1f573157b306489 |
| SHA512 | 5572319f8df2e4bc3f70f47a72984b02a50fd360c2966db56a5b001f84076eb6fedc4f9ff9fe47c7fb774ba00239a4d09b3ce2d04c6e68b6fb29263a09fb9a43 |
memory/2452-230-0x0000000140000000-0x0000000140209000-memory.dmp
memory/2452-231-0x0000000000F90000-0x0000000000FF0000-memory.dmp
memory/548-233-0x0000000140000000-0x00000001401F1000-memory.dmp
\Windows\System32\msdtc.exe
| MD5 | f6dd35591cb8a6a3ea4e9e470ad14730 |
| SHA1 | 1be037d38c4ccfa1749af49fff5fd68bf56a3d1e |
| SHA256 | 0a183680ef5aef6645bec443c9549196edc2cdef52536c77a578c6bd0338667a |
| SHA512 | aa13581bae9743bf818b2b5d4ba645a4818d947fb3358cb78b5b7411f7c852d1b878a90b85aa3007b78e3193dcd36cb316dda6c4bc55a3581647b79fe653cca4 |
\Windows\System32\msiexec.exe
| MD5 | 408d59bb1e0acecd476fe3f61082bbf3 |
| SHA1 | e714973577246a88d64d8f114eb881744e12b1ff |
| SHA256 | 7078927d17f29d1be45f444ededc1bcd18c4bd708b9ff74f0eb5dbf37270e233 |
| SHA512 | a36645da9627f50109fac31d224d63b6f0a5f84b1f6e0e24fffb8daddfef79cce45846e0db031854ebf103a6b88e5d869adcb3fc42402ea65c6c2947c2625f83 |
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE
| MD5 | 14e2dd4c8285527da0e4e678f5b1150e |
| SHA1 | e16506807275ad156f0db72ee5d87f1138def2f2 |
| SHA256 | 212bd71fcaa8dcb65ead92f0c753409c79472ed64631bfad9ad9eaf61afde062 |
| SHA512 | b92e32ef8ca345566ba873954308f3537674defa17000be6773aa453b8c7b679cd7a34a085b794620451df282286a1f0b97c33c029195e834f40f6dddb89f950 |
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
| MD5 | 64063c7723efa071bdfd84d40087513d |
| SHA1 | 36614b90c9f357350089c3075d8849dcf9d1bde2 |
| SHA256 | 8d598be4b888bda31c1aa52dd2215103c0079881f30f94f1845f9c40a1ea1de2 |
| SHA512 | 1e5629a1a0593be54fa47f097a46aff827f7aa1a14344dd9ae04fc36198f7c4cf973572e9e643ca3bee1961d76518eefd625b8e08c6ff02d6f315d4bebb1befe |
C:\Windows\SysWOW64\perfhost.exe
| MD5 | 29d8c2fb1c3d94a0d85077b1b59ecb9f |
| SHA1 | a1c44e3a0efc833a25ac719309e5d1b00d4ad0eb |
| SHA256 | a4958641cf2f9402cf638dfc22b6763fc59ea39f69a732cdd10abb471e345ca4 |
| SHA512 | 62ed97903903388a15061286614acac42c38c522be78012edb909ebd4dbef082b42ff95168c852254f46990d337ed6b7d5e9f4004e557207a5277046b7f9e469 |
\Windows\System32\Locator.exe
| MD5 | 2384ab24cb576708645b53f94b1ce760 |
| SHA1 | 1b2f9fe1c6e75b9bcd6ab3c3f0a62a8e6c717945 |
| SHA256 | b02f00af9b0b220695b53e467a37765ed37d855361ce814c5c33db62b5bae24d |
| SHA512 | 60c98e18cea5234dc227027af94cb86ea396e7841737618dac3bc74519af23d719c4d535c78e482b19fc601f6813010db90c3ed286249c2181b26b43a6b207ac |
C:\Windows\System32\snmptrap.exe
| MD5 | 1e70a2f17d1a544dccc8b0e3923dd6d3 |
| SHA1 | 0bc16c241caedd4e1b9a276d144183ad57fe980e |
| SHA256 | fd9688530da6efa7c857ab6601e48ec5fa3c1a2146e388693f9523eb94f257bb |
| SHA512 | 1bd870b26d432c19a57fdf01b9aa8844d23d41377893771ebceea381437180f97dbf9781914dfbde070d67f038617e5c3e6e74652ce5bad85aa26eef969cba11 |
C:\Windows\System32\vds.exe
| MD5 | 42ed96c0df19f2b4466c74894773a7da |
| SHA1 | d2d134cb80a5e6ac71ca3860726b284239d9d09e |
| SHA256 | 7825f51d1bed20284f067ebd255a40ac387468a9701343784eaf10024f68aefd |
| SHA512 | bcc0ebfbb40ff014f0cd20f096ecb7e7438b638936e80328ff208395ca024ba6595d92df937e4bbd64e22636771901cca7397702807adf6e9e9d17f5925d2630 |
C:\Windows\System32\VSSVC.exe
| MD5 | 90a5d2643a8c237e3984d1ce162d1e51 |
| SHA1 | 73f2094e94436e08bd7b99ad7f2bb2031b8ccee4 |
| SHA256 | c2c4ead1f7f14078bc8928efe2d0faf38cb6179d2752956400e9e5a3dcb3145a |
| SHA512 | 795293e88671ec987237fb46f4f3075c2d4d784ae4a5282578c3b8b02bb145679bb6b521caa2fa1b80d43abeffa484ad6b0b0062bab8029624d15e93bf2342f4 |
\Windows\System32\wbengine.exe
| MD5 | ab6f7de37c5d1f8e62c1a595926a2b39 |
| SHA1 | 8957024f821341f7cd975e054d82f8e37faa63b6 |
| SHA256 | 970a3478223a2623c8518d58e11f4d96dec04024c4f30a435ca7741f1327db4d |
| SHA512 | df60e8d28a9660b2dc59a4d4c203844146654367de4f421d68d27e570724f75fe2bbb65e82996c85d3d81331dc4cc5028349084651e284fa5c456766af4dbaf0 |
\Windows\System32\wbem\WmiApSrv.exe
| MD5 | 55a8b263134a31af806c7458ac8ad905 |
| SHA1 | 6e5df187f42d0bbde1fc4c11865a41d415ca77bc |
| SHA256 | 44f901a710bb411af7a2fe29b73080f21322a10bd2d27b55e9ed035e4a9f11d6 |
| SHA512 | 52a7c2cfab61ca68ff17cb621059307f6f4fcfd56fcf17d22834b614189cf1c7d71eca358b3157ac5fe4e174a07cf4b497faba5fa25fe182122f1411e77354d1 |
\Program Files\Windows Media Player\wmpnetwk.exe
| MD5 | de25e6409cbb7009b8cb804499953f6c |
| SHA1 | a07a69c98fcaf4c98236061161c14a1fafd8b593 |
| SHA256 | bcef5c7187f3f9222ab47637b1ca4e4fbf1fd6ab52b30705a2981b612f97ed0c |
| SHA512 | 2e4bf5ff634bf77111234c14900501aee273b87376286a04570cac09e6838a4055d30caf88e5e1f65e2c0b4095a344bb64531a9c28ae08fdf0ab6296e3e35f67 |
C:\Windows\System32\SearchIndexer.exe
| MD5 | 1d8662ae9088aab5fb5b302ed4e8b2ed |
| SHA1 | 80edde8dc47340873674947f48e36a0cda7bd277 |
| SHA256 | e2475eada85f72f5f2803e18b22fa92f2a339525b0a5c3a3fd8df8a24529b10f |
| SHA512 | 75d1a83488f72543cd58aea621131f677baf8174be6498597aea8c48e39f506abc663fd71e7bd34fce7e5b3f0f2306730805a0682163682317d36b915b5950e6 |
memory/2500-302-0x000007FEF48A0000-0x000007FEF523D000-memory.dmp
memory/2500-304-0x0000000000EB0000-0x0000000000F30000-memory.dmp
memory/2500-305-0x000007FEF48A0000-0x000007FEF523D000-memory.dmp
memory/2400-306-0x00000000005E0000-0x00000000007D1000-memory.dmp
memory/1040-307-0x000000002E000000-0x000000002E1F4000-memory.dmp
memory/1040-308-0x00000000003F0000-0x0000000000457000-memory.dmp
memory/2184-309-0x0000000100000000-0x0000000100542000-memory.dmp
memory/2472-310-0x0000000001000000-0x00000000011D5000-memory.dmp
memory/2472-311-0x0000000000230000-0x0000000000297000-memory.dmp
memory/1320-312-0x0000000100000000-0x00000001001D4000-memory.dmp
memory/2212-313-0x0000000100000000-0x00000001001D5000-memory.dmp
memory/2800-314-0x0000000100000000-0x0000000100253000-memory.dmp
memory/2012-316-0x0000000100000000-0x0000000100219000-memory.dmp
memory/588-317-0x0000000100000000-0x0000000100202000-memory.dmp
memory/988-323-0x0000000100000000-0x0000000100203000-memory.dmp
memory/2236-330-0x0000000100000000-0x000000010020A000-memory.dmp
memory/2236-347-0x0000000000840000-0x00000000008A0000-memory.dmp
memory/2236-387-0x000007FEF1B60000-0x000007FEF1C88000-memory.dmp
memory/2508-373-0x0000000000D90000-0x0000000000DF0000-memory.dmp
memory/1484-416-0x0000000001A30000-0x0000000001A31000-memory.dmp
memory/2864-414-0x0000000140000000-0x00000001401F5000-memory.dmp
memory/2400-438-0x0000000100000000-0x00000001001F1000-memory.dmp
memory/2508-364-0x0000000100000000-0x0000000100123000-memory.dmp
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log
| MD5 | 395b90b5d6e98603b7ffaddbc8383fb3 |
| SHA1 | 0a6cbbddf032fbc48d9563957c84d12b3d5c2067 |
| SHA256 | b378a93abe22dd1b2c4f2bd3025f2141e4bf6b75519956d7f50815f372eb8dfd |
| SHA512 | 4ac46bb9d50f3fb2486b547ed590624d21ae72f4eccc65b92413cd0944585d2bb69af48832729d3640ca6054f31e45654ddd93b8d26eb449393298eb37834821 |
memory/1784-564-0x000007FEF5D40000-0x000007FEF672C000-memory.dmp
memory/2184-565-0x0000000073DA8000-0x0000000073DBD000-memory.dmp
memory/1568-567-0x00000000001E0000-0x0000000000240000-memory.dmp
memory/2236-566-0x000007FEF2030000-0x000007FEF20CE000-memory.dmp
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe
| MD5 | 5fc8bbf0947d51e98a53b6556df947e8 |
| SHA1 | 41b8322f1f69d4ea01b40b56646ff79976b9249a |
| SHA256 | 4489866a7d9578183f8f71f1a3523ffbd67fd9ffc10ba619c04ac54f45204059 |
| SHA512 | ddcf4f1b0c3163fccd5fc0e751070a3ed53ba97294d39be8eecef6ac05cfa3fb5c1403c4eeb377fa198fa4fd797ee2c42a37b6f6e7ecc7bebab4a21c1b98b7f4 |
C:\Program Files\7-Zip\Uninstall.exe
| MD5 | 245d8a41bc63eb6582ba281fa0912c2b |
| SHA1 | cdc8e93b5a47a8532924cb07b73a882798190cce |
| SHA256 | 17bd1a9fba7960b9eeb32ea0da0612aa83f73c6eac2f413c092aaba36109964d |
| SHA512 | e745b81b7134556948c5aa60283cdb787c6b5d8fbbfacbf3cafde99e684a11c6984f493a582a1997fadaf7215f835fdff0dddecced5d61349e329288e51f1ec3 |
C:\Program Files\7-Zip\7zG.exe
| MD5 | 3310238c2c655caf23587a5f7eb1a26d |
| SHA1 | 69363e0ef04d31dae105cf3e9707ae4ee15b3198 |
| SHA256 | 9432a98a2222a723fa6b82205795487d46958c9512a32c66e1de66edd55065c8 |
| SHA512 | 9bfeaf2c323a55243018782e69675803f5e5cadfe4d8b49646f8a6bd6e622c30c7b635783ca357fbc8662003cbf9176931934884a94aa06af393fe7105d68e18 |
C:\Program Files\7-Zip\7zFM.exe
| MD5 | 7e9e407ad56df3af58a1889fb91625d7 |
| SHA1 | 337daa9d0dcd64caefdd7797860e967c152ef328 |
| SHA256 | 52a1ff94679a3e21749f2f635b2fdcbde1c06346d816a4334281e21a4200998b |
| SHA512 | 038b217bc33b009372c532a8e276553197e736e44c3a943255523b2088b2a3336ff9e26c0231844884586a9dba10e273442dd6beba8bffd410324d9833107927 |
C:\Program Files\7-Zip\7z.exe
| MD5 | 7e962ebf24172bc33c01a724eb82317e |
| SHA1 | e943c9c359a3cea27e5986f4ec90d8088ee0f8fe |
| SHA256 | 206818f179fddc42ec47db1ee4c92a7e74008c9d3b5f8abd75a10fc959e9b519 |
| SHA512 | a0b3a41b55155c797d3ef254483ec2598d4adf5b7b916adf8ca6f868507843d8bb4ca3faeb2a204af57d1ecbb70b18943a485722fd92b860ea287a8805759c67 |
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe
| MD5 | 3a90dc1b397b191b957bca5dd6de2736 |
| SHA1 | a8f0a94c504554e1421ac7bbd800078992e62951 |
| SHA256 | 7768c10e57c0d9d9db162f7bb168d2637e260989ff4b7fb95d989b6a98e74054 |
| SHA512 | 412af2739ccff1035b34f2b59df98fc3f4b07e7e2b952f4e8cb460c78a5df7a4a8159124e15608cf18075dbd5cf81507bc3078a66632c26f3a2da5dd0c6ca8b8 |
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE
| MD5 | 56255fd6af5d4a6062a14ed9edd6dc91 |
| SHA1 | d9c37adb0e4dcfc144561c05033ec85f79d71506 |
| SHA256 | fde27f621bf256e22be348b0d28bf495422ef890251941fdc57dd6d51e4f9287 |
| SHA512 | 51f3a012ad561abb31ea47704701f50f450a92d20dd7ec2f0004dbff2de67b4ecb46ccc68916b00f4ba86f5927fcebb62d36cb40bd4bf444d012e429369f644c |
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe
| MD5 | 8811dc19834557d81b91aec5d29f6d52 |
| SHA1 | f3bfa9f7bc8ae0c90581caaf4634db8c328e4ec3 |
| SHA256 | 3b2cbf53a4fd4098097bfaacdd7427c8d4d175948664a682282951680a36fe1c |
| SHA512 | 4cc0c582b118c921cf8a339b8f8b241ff46f17784fddee2f2139539ae05ce48614c019c894bc24a115be68c823ff5ed1b2fceaa5ea4140ad6526fcc45a3e864c |
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe
| MD5 | b0dd5bb1911b50c1e75f0ffe2302504b |
| SHA1 | 34418b34d8ad6645f4912222c8f736ef67a81883 |
| SHA256 | 3b43bb40e06464affe5cf6dd1b7966f5ccc1991687e7fd66ee7df209f9defc29 |
| SHA512 | af6dcd97af1e5c84af399dd54233d6214ca4883b191f92b5d765106eaa29e0924a3e811d6d7ef4760fb2204003408aa63a9926552002b36bd32d3a6fbfdc8048 |
C:\Windows\system32\fxssvc.exe
| MD5 | 200bbcc6ed0a41b441c32339c2b83f12 |
| SHA1 | 8599e00d5051457a1ce8aebec310df5d006f7ea6 |
| SHA256 | c7392131c24d13d1f8bffe1d0bde6356ebde03bc662aba5342f8cb847f745344 |
| SHA512 | 2aba4fe2b981c16548127bd105b26a2b0dbfdbe49e75ee4b4c8d7cfa64f38f0339529426fbba5920e942e9bacd01d1e0592a19b5ebb26997b6c87a5f8b63a751 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-07 17:52
Reported
2024-04-07 17:54
Platform
win10v2004-20240226-en
Max time kernel
62s
Max time network
68s
Command Line
Signatures
Executes dropped EXE
Reads user/profile data of web browsers
Checks installed software on the system
Drops file in System32 directory
Drops file in Program Files directory
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe | C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe | N/A |
| File opened for modification | C:\Windows\DtcInstall.log | C:\Windows\System32\msdtc.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\spectrum.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\system32\spectrum.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\system32\spectrum.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\system32\spectrum.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\TieringEngineService.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\TieringEngineService.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" | C:\Windows\system32\SearchIndexer.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" | C:\Windows\system32\SearchIndexer.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" | C:\Windows\system32\SearchIndexer.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" | C:\Windows\system32\SearchIndexer.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004c43e87f1489da01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" | C:\Windows\system32\SearchIndexer.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" | C:\Windows\system32\SearchIndexer.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" | C:\Windows\system32\fxssvc.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" | C:\Windows\system32\SearchIndexer.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000beb8de7f1489da01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" | C:\Windows\system32\SearchIndexer.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" | C:\Windows\system32\fxssvc.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print" | C:\Windows\system32\fxssvc.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" | C:\Windows\system32\SearchIndexer.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" | C:\Windows\system32\SearchIndexer.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" | C:\Windows\system32\fxssvc.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" | C:\Windows\system32\fxssvc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\fxssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\TieringEngineService.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\TieringEngineService.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\AgentService.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5380 wrote to memory of 5676 | N/A | C:\Windows\system32\SearchIndexer.exe | C:\Windows\system32\SearchProtocolHost.exe |
| PID 5380 wrote to memory of 5676 | N/A | C:\Windows\system32\SearchIndexer.exe | C:\Windows\system32\SearchProtocolHost.exe |
| PID 5380 wrote to memory of 5708 | N/A | C:\Windows\system32\SearchIndexer.exe | C:\Windows\system32\SearchFilterHost.exe |
| PID 5380 wrote to memory of 5708 | N/A | C:\Windows\system32\SearchIndexer.exe | C:\Windows\system32\SearchFilterHost.exe |
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-07_e566223cb3b5751b0efb0d320f01036f_magniber_revil.exe"
C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3668 --field-trial-handle=3016,i,1323102786462900035,7687994236215859601,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pywolwnvd.biz | udp |
| US | 8.8.8.8:53 | api2.amplitude.com | udp |
| US | 52.10.216.31:443 | api2.amplitude.com | tcp |
| US | 8.8.8.8:53 | 31.216.10.52.in-addr.arpa | udp |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ssbzmoy.biz | udp |
| ID | 34.128.82.12:80 | ssbzmoy.biz | tcp |
| ID | 34.128.82.12:80 | ssbzmoy.biz | tcp |
| US | 8.8.8.8:53 | 12.82.128.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cvgrf.biz | udp |
| US | 104.198.2.251:80 | cvgrf.biz | tcp |
| US | 8.8.8.8:53 | cvgrf.biz | udp |
| US | 104.198.2.251:80 | cvgrf.biz | tcp |
| US | 8.8.8.8:53 | npukfztj.biz | udp |
| US | 34.174.61.199:80 | npukfztj.biz | tcp |
| US | 8.8.8.8:53 | npukfztj.biz | udp |
| US | 34.174.61.199:80 | npukfztj.biz | tcp |
| US | 8.8.8.8:53 | 251.2.198.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 199.61.174.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | przvgke.biz | udp |
| US | 8.8.8.8:53 | przvgke.biz | udp |
| US | 72.52.178.23:80 | przvgke.biz | tcp |
| US | 72.52.178.23:80 | przvgke.biz | tcp |
| US | 72.52.178.23:80 | przvgke.biz | tcp |
| US | 72.52.178.23:80 | przvgke.biz | tcp |
| US | 8.8.8.8:53 | zlenh.biz | udp |
| US | 8.8.8.8:53 | knjghuig.biz | udp |
| ID | 34.128.82.12:80 | knjghuig.biz | tcp |
| US | 8.8.8.8:53 | zlenh.biz | udp |
| US | 8.8.8.8:53 | knjghuig.biz | udp |
| ID | 34.128.82.12:80 | knjghuig.biz | tcp |
| US | 8.8.8.8:53 | 23.178.52.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | uhxqin.biz | udp |
| US | 8.8.8.8:53 | anpmnmxo.biz | udp |
| US | 8.8.8.8:53 | lpuegx.biz | udp |
| RU | 82.112.184.197:80 | lpuegx.biz | tcp |
| US | 8.8.8.8:53 | uhxqin.biz | udp |
| US | 8.8.8.8:53 | anpmnmxo.biz | udp |
| US | 8.8.8.8:53 | lpuegx.biz | udp |
| RU | 82.112.184.197:80 | lpuegx.biz | tcp |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| RU | 82.112.184.197:80 | lpuegx.biz | tcp |
| RU | 82.112.184.197:80 | lpuegx.biz | tcp |
| US | 13.107.246.64:443 | tcp | |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | vjaxhpbji.biz | udp |
| RU | 82.112.184.197:80 | vjaxhpbji.biz | tcp |
| US | 8.8.8.8:53 | vjaxhpbji.biz | udp |
| RU | 82.112.184.197:80 | vjaxhpbji.biz | tcp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
Files
memory/1988-0-0x0000000000400000-0x000000000085A000-memory.dmp
memory/1988-1-0x0000000002710000-0x0000000002777000-memory.dmp
memory/1988-7-0x0000000002710000-0x0000000002777000-memory.dmp
memory/1988-6-0x0000000002710000-0x0000000002777000-memory.dmp
C:\Windows\System32\alg.exe
| MD5 | d337cca1c50f0aac64aeb2121dbaba08 |
| SHA1 | 8bf2e2b301b446a9f9d6811a8aa9937bed8b9356 |
| SHA256 | 9a2aac63074e0368267b5c81526cea245ec7398053b4bdf39292578050fd8f0f |
| SHA512 | b98c2b2946e17ebe922adaed5d93a067b649889c0005478e1270f1ef461b70bd2b7aa5fa5d4061d6cb2c70d6c256afd5260c23e02578cd72105886c037ec9bb0 |
memory/4360-12-0x0000000140000000-0x00000001401E9000-memory.dmp
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
| MD5 | 2385b539513655d4428fefcdba4ead7f |
| SHA1 | 8282b72e7853bbf4374f3933ee1f4fc09553a720 |
| SHA256 | 94997d2b4f4668fa26fe34ce0e292389966bb2ba4b9ad4ad35485fd40d1522e7 |
| SHA512 | bbdb0a885e42431d81fa5d295c505f94ade68f4e572dca428c8c35f3155bd72d4ddf78681fd0ba8e6898f0627befd347bf0c74f56cfbca7bd2072f7552aa4e33 |
memory/4500-17-0x0000000140000000-0x00000001401E8000-memory.dmp
memory/4500-16-0x0000000000710000-0x0000000000770000-memory.dmp
memory/4500-23-0x0000000000710000-0x0000000000770000-memory.dmp
memory/4500-24-0x0000000000710000-0x0000000000770000-memory.dmp
C:\Windows\System32\FXSSVC.exe
| MD5 | 6fc1ea2ae5ec2d8ac3b36dda313d6d9b |
| SHA1 | ec55b7b0803da4691722437cf644370d70c304bc |
| SHA256 | ca5f5f7d6f1f68df592bfa165ba2a44a451855bc9cefe8bb4ff974f3ffaf6446 |
| SHA512 | f2bf3c190faeb70bb0cf43e4befd9c88d8a1b7274e7d4f5d69a1e59a9d4c83e610a06619e6022c8cead57cb966feb0d1862e21e3fa8c53e2c3095619032754cc |
memory/3004-29-0x0000000140000000-0x0000000140135000-memory.dmp
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
| MD5 | 5e66674d50423b93c62ea00f094e5707 |
| SHA1 | cbb85ed803effd8388d7396426786b12d38e7903 |
| SHA256 | 4a71aab5bbc481d847f1472d96103c5c984ebce3c8ef61ec0885de2f2f56f8b0 |
| SHA512 | 12a7486af42e87836cb5ac1177ae45bca94a03eff225ddbab4e6d0fd2d5aaefae79ec9171025ed9295fda0511cc7d9fb6314b2339b7093c03cb6d6b4e8b1eebb |
memory/2740-32-0x0000000000DB0000-0x0000000000E10000-memory.dmp
memory/2740-33-0x0000000140000000-0x0000000140237000-memory.dmp
memory/3004-38-0x0000000140000000-0x0000000140135000-memory.dmp
memory/2740-41-0x0000000000DB0000-0x0000000000E10000-memory.dmp
memory/2740-40-0x0000000000DB0000-0x0000000000E10000-memory.dmp
C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
| MD5 | 940e34c430b9398df16516b57b3fc070 |
| SHA1 | d49307c5187fdeaa2d872c6e93698a45abd982a1 |
| SHA256 | 443e297db4e83b43238217dd966114c1c2e3815a8e601bb5a88f6e7b6ff0dd70 |
| SHA512 | b444eef9fc74c1b68423de907fac5ae3a9739afc8cac9d94e9ad92efbfd8f1fec2fd3b77d28f13e607437ec967206d7d23d868d1e61cfbf3039b7ac687f7c46e |
memory/536-46-0x0000000140000000-0x0000000140245000-memory.dmp
memory/536-45-0x0000000000890000-0x00000000008F0000-memory.dmp
memory/536-52-0x0000000000890000-0x00000000008F0000-memory.dmp
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
| MD5 | fc14b654f1f001b0505b67809090ecf0 |
| SHA1 | c07c0b2fad2066e5df64f168fc190799396d04e8 |
| SHA256 | d7d0785eeafd4b1d6625ff9a5208d366018cc58929e08e3c205b1847868ae858 |
| SHA512 | ca5c4a0abb5a74665bde03fd2141a16122f3f862bf22d90a8deab1ac6f30618f1c9accfde1025933a003709e75da93a506d27febe73da1d6d47f44aa6f085e76 |
memory/1988-57-0x0000000000400000-0x000000000085A000-memory.dmp
memory/3356-56-0x0000000000CD0000-0x0000000000D30000-memory.dmp
memory/3356-59-0x0000000140000000-0x0000000140209000-memory.dmp
memory/3356-65-0x0000000000CD0000-0x0000000000D30000-memory.dmp
memory/3356-68-0x0000000000CD0000-0x0000000000D30000-memory.dmp
memory/3356-71-0x0000000140000000-0x0000000140209000-memory.dmp
C:\Windows\System32\msdtc.exe
| MD5 | 84b9d9ea8ec5f7ed64ba7fa1214fb4e7 |
| SHA1 | 6509d93cb7a6f89e185ab2608098256d1b47e17f |
| SHA256 | b1878878ab9110ca6d1665b05488432568fca530db41c6f8f6adc81d2a710218 |
| SHA512 | 8d2aba46f6daf321215b93f0ae6143befc08304141c690cc830e54a72ff476020c1e5246e9ea9aa135b3b6a5eaa54c827d25a4375170a2e5ab6817518ed4e40a |
memory/4360-73-0x0000000140000000-0x00000001401E9000-memory.dmp
memory/4336-74-0x0000000140000000-0x00000001401F8000-memory.dmp
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
| MD5 | 563502374c82a516d0aaa9f02b52cc62 |
| SHA1 | 8b3cd7822d1535b78976a934ca9bd1dffaeb4591 |
| SHA256 | 89dbe79a270f75d9e0f2063a35a49736c0e7d9095de4ad5c31cd3b440004a654 |
| SHA512 | c332bd57ae6ef207b0a6bbe48eddad6fa7042ed0d7d1cfb31171eae195854fd0bb37f3ad9a6408a2629eb772c373445b712c38b6e70f3e407473b0349c9fd79d |
memory/4500-82-0x0000000140000000-0x00000001401E8000-memory.dmp
memory/4972-81-0x00000000007B0000-0x0000000000810000-memory.dmp
memory/4972-84-0x0000000140000000-0x000000014020E000-memory.dmp
memory/4972-89-0x00000000007B0000-0x0000000000810000-memory.dmp
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
| MD5 | 12e625ce948c2c30c8eb5c3c6e3c2e57 |
| SHA1 | 09d845932ceb5f03c5775f9f346be1166e3fffaf |
| SHA256 | 31c50da6ef71870a16ae066364f7a6fc27165892dd43c1450782686269e9d546 |
| SHA512 | fd237431a78ddcd307997d63a5c9187ee0e32c935c340654db5199e9c228e2ae2e2cdaa19b63cf3768c73c89eb22c13a571e71729961d842af4fffb1643c89bb |
memory/4552-93-0x0000000140000000-0x00000001401EA000-memory.dmp
memory/4552-94-0x0000000000780000-0x00000000007E0000-memory.dmp
memory/2740-101-0x0000000140000000-0x0000000140237000-memory.dmp
memory/4552-100-0x0000000000780000-0x00000000007E0000-memory.dmp
C:\Windows\SysWOW64\perfhost.exe
| MD5 | b5439382b94e26cd8d6e373315875032 |
| SHA1 | c133a47ec16af137625afc290d4c7d92f04a2210 |
| SHA256 | 94c7fda08e16aa5efdf4490f64b91ed9101529355a6e8bbc784a7c3dcba04a6a |
| SHA512 | 524e9aa9fcef859fd25f3bb711b4a989f67c351c0d0fc49be445289783ed9d0599fcafba5fe22d6073ab87f3fcbea879c0af567b2ee5f3f3bb4c52ca2ce932b0 |
memory/3104-105-0x0000000000400000-0x00000000005D6000-memory.dmp
memory/3104-106-0x0000000000860000-0x00000000008C7000-memory.dmp
memory/3104-111-0x0000000000860000-0x00000000008C7000-memory.dmp
memory/536-113-0x0000000140000000-0x0000000140245000-memory.dmp
C:\Windows\System32\Locator.exe
| MD5 | dbcf58b221d5c6d84bfa956048d0eaab |
| SHA1 | e1a196ccc8cd24efcae0eef29768d9e9543cd391 |
| SHA256 | 378b1da77aef4fa13fd60f22f9a1cacb6d65c45b27e494b772bb5919a0a5be6c |
| SHA512 | dcc19c04df95c82368024ca6dd5c9e4168a561a6308af36f21576f8b13b654bada2a226a1451e3d7a3c7429d421a9af47e0144a1da6b56c88ce726f0de9fe031 |
memory/3152-117-0x0000000140000000-0x00000001401D4000-memory.dmp
C:\Windows\System32\SensorDataService.exe
| MD5 | 8a95fa77fdf537a717ef8cd424fa109f |
| SHA1 | 5d466da009e9bb1f83a443b146dec0b7e4600fb6 |
| SHA256 | 232a26555e96a598a81273e4be2ec6d4e7d85072ba338ef1da9c8232bef4b617 |
| SHA512 | e01bc0cbbd656163fed31b3da64d0f738e3442bf23bff9e59cbeefa84844ac460008d87952f39e360628932dfed8db201514f011c22bc1f6b366f49742a8e22a |
memory/2132-119-0x0000000140000000-0x00000001401D7000-memory.dmp
C:\Windows\System32\snmptrap.exe
| MD5 | 928c17fc8a98463946aafc110c0175a2 |
| SHA1 | 97220559019671ad992492f7a6b7ee7213d360e4 |
| SHA256 | 93e16e201eb174850a8a0daa064113e7b241e7c2bc960096fc91a4ef832bb956 |
| SHA512 | 5f64017b4c8f2221f1d007bbcd60edd227557132be80c0a9681fc7517abbc125d35fc4e1fe0db2fa8d3549105f3bfc0dae80fe8f3b4343a814f53697dd764799 |
memory/4924-123-0x0000000140000000-0x00000001401D5000-memory.dmp
C:\Windows\System32\Spectrum.exe
| MD5 | f3c7c44491f0927264944696495cd768 |
| SHA1 | e18716f79cf9a9a42f102f38e1b29d4557c7c982 |
| SHA256 | a52255afc598081b022569facd0b76437f6257f885e71ba5ba1d9e8a1d672ed4 |
| SHA512 | f58af8c998787a799754dd190c47358ee9c387929bf0d0235f7e6349349dd0eb95f2cea07bfc1bae846b5e0e760f5d2ae335fcb7310740328a4f5fc8866fa954 |
memory/3356-127-0x0000000140000000-0x0000000140169000-memory.dmp
memory/4972-135-0x0000000140000000-0x000000014020E000-memory.dmp
memory/3356-136-0x00000000006E0000-0x0000000000740000-memory.dmp
C:\Windows\System32\OpenSSH\ssh-agent.exe
| MD5 | 0b07addd6dc29a6e8f49fb266348b59f |
| SHA1 | 0cc598b1aca846023dd012c8bda84efcf95c5451 |
| SHA256 | 05496c847793e2b98b66e67e13df2549b472c3878e6160b5665e2627f1f9cffa |
| SHA512 | f7330d87da8d87e76074734abfb0808377e501b807fa8b4018230e808e4711cf545812757b558f0668ca3657dd8ce53c861929dff848413d54d7acbf7f5d29b7 |
memory/4232-140-0x0000000140000000-0x0000000140241000-memory.dmp
memory/4552-148-0x0000000140000000-0x00000001401EA000-memory.dmp
memory/4232-150-0x0000000000510000-0x0000000000570000-memory.dmp
C:\Windows\System32\TieringEngineService.exe
| MD5 | cce562c8ef4ebbd9dd0ddb36b439dd9a |
| SHA1 | 25bbff875b80188f6a40bb3f3ddc890339ff489d |
| SHA256 | cf0269c34cd1833cacacc2cfc659ceae76cc8b0e80763691e6bed5b3f22a164c |
| SHA512 | 72027c240177cdb5471aa2912d2c6aed1e442c1ba90c30d982acf3519e5fca0d3c51a2e5524190f899f595b9e57bee5d93f17e5de9b2779aa2a1439ad3c828ad |
memory/2244-153-0x0000000140000000-0x0000000140221000-memory.dmp
C:\Windows\System32\AgentService.exe
| MD5 | bf5868ea3057e87bc87ce6c70f213e1d |
| SHA1 | 9d5c9588966736daf92a65e1e4c0bd3ef52d83ca |
| SHA256 | 13a6f2b8435fe9ca660bc335867f577e7ece11282ec93366b0013eb7bc43919d |
| SHA512 | 4b696ce650f63db10d9599c2b7d5e71c1042af59141a66e24d2080bb516a31d71ecb50659df6b1a77c7532593e566a22baa1185dd49c020d6ef811371940dc2b |
memory/3104-156-0x0000000000400000-0x00000000005D6000-memory.dmp
memory/3092-157-0x0000000140000000-0x00000001401C0000-memory.dmp
memory/3092-159-0x0000000140000000-0x00000001401C0000-memory.dmp
C:\Windows\System32\vds.exe
| MD5 | 7a7c17fd3347aa0d8e353391888e1096 |
| SHA1 | 8be381391fa2dda55caf6cfc33e55c1f8724c161 |
| SHA256 | b8d5e578cec88c175ce7ce8655289b840d0fbceb84831d6afc3161c7f54fdde7 |
| SHA512 | 8230344549d4799f5acac0366ee3f2aaa198b2322d613179cdae1c1d1e022583a3b90e7047bf11a1c66ff37deb25b5c39c61cbf647c0ca3af0df4665e627623f |
memory/372-162-0x0000000140000000-0x0000000140147000-memory.dmp
C:\Windows\System32\VSSVC.exe
| MD5 | 9a561da3a643de8ad2697cd8fe0552e7 |
| SHA1 | 0b7a44e9dc4212e2a839a65d820af0c63ac8de9d |
| SHA256 | 49679178ee953b66d31a4598c90e36f90c1fa2b72176e1adb9741715f564c0c8 |
| SHA512 | 45e79bc89806839f069fb9178a1c4894dcd8b60501ef09e04c2c293e383873c32987ffb6a12d41c00b1c033e839eaddede16097381aea37483a0b0b3a8050438 |
memory/5152-164-0x0000000140000000-0x00000001401FC000-memory.dmp
C:\Windows\System32\wbengine.exe
| MD5 | 6c8f9356b9e16ff3a3c4113127ea9404 |
| SHA1 | cae7126a53ee594bb3f102dc31e63f5744749ea0 |
| SHA256 | 173e2fcd7822361b9cea5d1ee6c26bcc7d109d1bd744c0f8ed9ab0f43f35bcdd |
| SHA512 | 51a0a35d92c7502448bf77464c0913dc9d9859573773af718a062b312448c78660bc94c0aced9d34967cadf9ecb4c909cf839ab30437692fad29c61ea745896b |
memory/2132-167-0x0000000140000000-0x00000001401D7000-memory.dmp
memory/5228-168-0x0000000140000000-0x0000000140216000-memory.dmp
C:\Windows\System32\wbem\WmiApSrv.exe
| MD5 | 37b2d2c1f6897e7a5b22f5bfc83a7ac8 |
| SHA1 | f912c77fb1872f1706d5ca058ca7be213971e096 |
| SHA256 | 706fde6bc6910f0e9b433a340154e947bce72951181edab7113d2a68d4d24310 |
| SHA512 | 04da41ad2307fcac51d2a4d46cf686c7fa4fa742ba5e42cc07b4a1680fc116ce4c3b155ac23e270f2d937b8531a5452d3674e4222fd6068c90c62528711c168a |
memory/4924-172-0x0000000140000000-0x00000001401D5000-memory.dmp
memory/5320-174-0x0000000140000000-0x0000000140205000-memory.dmp
C:\Windows\System32\SearchIndexer.exe
| MD5 | 7bc9a02582122be9514496ffa2c52e47 |
| SHA1 | 4c02dbeeed17165b70187893efca17098b50d24e |
| SHA256 | 659bb3b0f3c14613d89bbc240ac7ebc36a876afe6a8362eb35a10c3d7e55792e |
| SHA512 | 40e95887fb40ad84db9934251fb0ea95d635234099fc2e340ac38517657887e47179bd79c7b59a45b279fe450ebb0c13770847ec63dbab87e24f6ee5425969a8 |
memory/3356-176-0x0000000140000000-0x0000000140169000-memory.dmp
memory/5380-177-0x0000000140000000-0x0000000140179000-memory.dmp
memory/4232-245-0x0000000140000000-0x0000000140241000-memory.dmp
memory/2132-246-0x0000000140000000-0x00000001401D7000-memory.dmp
memory/2244-247-0x0000000140000000-0x0000000140221000-memory.dmp
memory/372-251-0x0000000140000000-0x0000000140147000-memory.dmp
memory/5152-253-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/5228-262-0x0000000140000000-0x0000000140216000-memory.dmp
memory/5320-264-0x0000000140000000-0x0000000140205000-memory.dmp
memory/5380-268-0x0000000140000000-0x0000000140179000-memory.dmp
memory/5708-381-0x00000170BB210000-0x00000170BB220000-memory.dmp
memory/5708-382-0x00000170BB220000-0x00000170BB230000-memory.dmp
memory/5708-387-0x00000170BB210000-0x00000170BB220000-memory.dmp
memory/5708-388-0x00000170BB230000-0x00000170BB231000-memory.dmp
memory/5708-397-0x00000170BB250000-0x00000170BB260000-memory.dmp
memory/5708-396-0x00000170BB210000-0x00000170BB220000-memory.dmp