Malware Analysis Report

2024-11-30 06:53

Sample ID 240601-jk7g7sed3x
Target 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz
SHA256 d47f10e5f37f83420cf5159ceae94d00b4695ea7853d20b27a37d1c239b1494d
Tags
spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

d47f10e5f37f83420cf5159ceae94d00b4695ea7853d20b27a37d1c239b1494d

Threat Level: Shows suspicious behavior

The file 2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz was found to be: Shows suspicious behavior.

Malicious Activity Summary

spyware stealer

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Uses Volume Shadow Copy WMI provider

Uses Task Scheduler COM API

Checks SCSI registry key(s)

Suspicious use of FindShellTrayWindow

Suspicious behavior: LoadsDriver

Modifies data under HKEY_USERS

Uses Volume Shadow Copy service COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Checks processor information in registry

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-01 07:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 07:44

Reported

2024-06-01 07:47

Platform

win7-20240221-en

Max time kernel

150s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\system32\dllhost.exe N/A
N/A N/A C:\Windows\ehome\ehRecvr.exe N/A
N/A N/A C:\Windows\ehome\ehsched.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
N/A N/A C:\Windows\system32\IEEtwCollector.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE N/A
N/A N/A C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe N/A
N/A N/A C:\Windows\System32\msdtc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE N/A
N/A N/A C:\Windows\SysWow64\perfhost.exe N/A
N/A N/A C:\Windows\system32\locator.exe N/A
N/A N/A C:\Windows\System32\snmptrap.exe N/A
N/A N/A C:\Windows\System32\vds.exe N/A
N/A N/A C:\Windows\system32\vssvc.exe N/A
N/A N/A C:\Windows\system32\wbengine.exe N/A
N/A N/A C:\Windows\system32\wbem\WmiApSrv.exe N/A
N/A N/A C:\Program Files\Windows Media Player\wmpnetwk.exe N/A
N/A N/A C:\Windows\system32\SearchIndexer.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\IEEtwCollector.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\System32\vds.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
File opened for modification C:\Windows\system32\vssvc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
File opened for modification C:\Windows\System32\alg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\54efd187ae4ef42b.bin C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
File opened for modification C:\Windows\System32\msdtc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
File opened for modification C:\Windows\SysWow64\perfhost.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
File opened for modification C:\Windows\system32\locator.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
File opened for modification C:\Windows\system32\wbengine.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
File opened for modification C:\Windows\system32\SearchIndexer.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat C:\Windows\system32\SearchProtocolHost.exe N/A
File opened for modification C:\Windows\system32\IEEtwCollector.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\System32\snmptrap.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\javacpl.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\policytool.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\unpack200.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\jp2launcher.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\servertool.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\DVD Maker\DVDMaker.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\GACLock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index152.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP8131.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\ngenlock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\ngenlock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP85A4.tmp\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index156.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index154.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index156.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{F3566C96-F264-4197-99CA-9E645D75CB38}.crmlog C:\Windows\system32\dllhost.exe N/A
File created C:\Windows\assembly\GACLock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP8B01.tmp\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.dll C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP8E1C.tmp\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.dll C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\GACLock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\GACLock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP82E6.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\ehome\ehsched.exe C:\Windows\System32\alg.exe N/A
File created C:\Windows\assembly\ngenlock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP7935.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\GACLock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index151.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index152.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPA9E6.tmp\ehiActivScp.dll C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP739A.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\GACLock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\ngenlock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\GACLock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\GACLock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index154.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index155.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe N/A
File created C:\Windows\assembly\ngenlock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP90BB.tmp\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.dll C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index154.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index157.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
File created C:\Windows\assembly\ngenlock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\ngenlock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index153.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\index155.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\ngenlock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\DtcInstall.log C:\Windows\System32\msdtc.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\rstrui.exe,-102 = "Restore system to a chosen restore point." C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\rstrui.exe,-100 = "System Restore" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\displayswitch.exe,-320 = "Connect to a Projector" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\FXSRESM.dll,-114 = "Windows Fax and Scan" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%ProgramFiles%\DVD Maker\DVDMaker.exe,-63385 = "Burn pictures and video to DVD." C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit C:\Windows\ehome\ehRecvr.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\sdcpl.dll,-100 = "Backup and restore your files and system. Monitor latest backup status and configuration." C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\syswow64\unregmp2.exe,-155 = "Play digital media including music, videos, CDs, and DVDs." C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE C:\Windows\ehome\ehRec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\odbcint.dll,-1310 = "Data Sources (ODBC)" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\migwiz\wet.dll,-590 = "Transfers files and settings from one computer to another" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\migwiz\wet.dll,-588 = "Windows Easy Transfer" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\System32\syncCenter.dll,-3001 = "Sync files between your computer and network folders" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\SNTSearch.dll,-504 = "Create short handwritten or text notes." C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\TipTsf.dll,-80 = "Tablet PC Input Panel" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe,-102 = "Windows PowerShell ISE (x86)" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10310 = "The aim of the game in Spider Solitaire is to remove cards from play in the fewest moves possible. Line up runs of cards from king through ace, in the same suit, to remove them." C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\MostRecentApplication C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\unregmp2.exe,-4 = "Windows Media Player" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\ShadowFileMaxClients = "32" C:\Windows\ehome\ehRec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-107 = "Lighthouse" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\displayswitch.exe,-321 = "Connect your computer to a projector by display cable." C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30" C:\Windows\ehome\ehRec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\pmcsnap.dll,-710 = "Manages local printers and remote print servers." C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10054 = "Chess Titans" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000" C:\Windows\ehome\ehRec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\Msinfo32.exe,-130 = "Display detailed information about your computer." C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\MdSched.exe,-4002 = "Check your computer for memory problems." C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10101 = "Internet Checkers" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\System\wab32res.dll,-4602 = "Contact file" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10103 = "Internet Spades" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10102 = "Internet Backgammon" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\FXSRESM.dll,-115 = "Send and receive faxes or scan pictures and documents." C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\OobeFldr.dll,-33056 = "Getting Started" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheHashTableSize = "67" C:\Windows\ehome\ehRec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%CommonProgramFiles%\Microsoft Shared\Ink\ShapeCollector.exe,-299 = "Provide writing samples to help improve the recognition of your handwriting." C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%CommonProgramFiles%\Microsoft Shared\Ink\mip.exe,-292 = "Math Input Panel" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\NetProjW.dll,-501 = "Connect to a Network Projector" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10059 = "Mahjong Titans" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\DVD Maker\DVDMaker.exe,-61403 = "Windows DVD Maker" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\mblctr.exe,-1004 = "Opens the Windows Mobility Center so you can adjust display brightness, volume, power options, and other mobile PC settings." C:\Windows\system32\SearchProtocolHost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\ehome\ehRec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: 33 N/A C:\Windows\eHome\EhTray.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\eHome\EhTray.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\ehome\ehRec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: 33 N/A C:\Windows\eHome\EhTray.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\eHome\EhTray.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: 33 N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: 33 N/A C:\Program Files\Windows Media Player\wmpnetwk.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files\Windows Media Player\wmpnetwk.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\eHome\EhTray.exe N/A
N/A N/A C:\Windows\eHome\EhTray.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\eHome\EhTray.exe N/A
N/A N/A C:\Windows\eHome\EhTray.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3012 wrote to memory of 2680 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 3012 wrote to memory of 2680 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 3012 wrote to memory of 2680 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 3012 wrote to memory of 2508 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 3012 wrote to memory of 2508 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 3012 wrote to memory of 2508 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 1680 wrote to memory of 1388 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchProtocolHost.exe
PID 1680 wrote to memory of 1388 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchProtocolHost.exe
PID 1680 wrote to memory of 1388 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchProtocolHost.exe
PID 1680 wrote to memory of 2592 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchFilterHost.exe
PID 1680 wrote to memory of 2592 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchFilterHost.exe
PID 1680 wrote to memory of 2592 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchFilterHost.exe
PID 1732 wrote to memory of 1420 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1732 wrote to memory of 1420 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1732 wrote to memory of 1420 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1732 wrote to memory of 1420 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1732 wrote to memory of 1776 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1732 wrote to memory of 1776 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1732 wrote to memory of 1776 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1732 wrote to memory of 1776 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1732 wrote to memory of 2628 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1732 wrote to memory of 2628 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1732 wrote to memory of 2628 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1732 wrote to memory of 2628 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1732 wrote to memory of 1420 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1732 wrote to memory of 1420 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1732 wrote to memory of 1420 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1732 wrote to memory of 1420 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1732 wrote to memory of 608 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1732 wrote to memory of 608 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1732 wrote to memory of 608 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1732 wrote to memory of 608 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1732 wrote to memory of 528 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1732 wrote to memory of 528 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1732 wrote to memory of 528 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1732 wrote to memory of 528 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1732 wrote to memory of 2440 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1732 wrote to memory of 2440 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1732 wrote to memory of 2440 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1732 wrote to memory of 2440 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1732 wrote to memory of 2252 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1732 wrote to memory of 2252 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1732 wrote to memory of 2252 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1732 wrote to memory of 2252 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1680 wrote to memory of 2464 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchProtocolHost.exe
PID 1680 wrote to memory of 2464 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchProtocolHost.exe
PID 1680 wrote to memory of 2464 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchProtocolHost.exe
PID 1732 wrote to memory of 1816 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1732 wrote to memory of 1816 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1732 wrote to memory of 1816 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1732 wrote to memory of 1816 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1732 wrote to memory of 2832 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1732 wrote to memory of 2832 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1732 wrote to memory of 2832 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1732 wrote to memory of 2832 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1732 wrote to memory of 2740 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1732 wrote to memory of 2740 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1732 wrote to memory of 2740 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1732 wrote to memory of 2740 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1732 wrote to memory of 1564 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1732 wrote to memory of 1564 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1732 wrote to memory of 1564 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1732 wrote to memory of 1564 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1732 wrote to memory of 2400 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe"

C:\Windows\System32\alg.exe

C:\Windows\System32\alg.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\system32\dllhost.exe

C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}

C:\Windows\ehome\ehRecvr.exe

C:\Windows\ehome\ehRecvr.exe

C:\Windows\ehome\ehsched.exe

C:\Windows\ehome\ehsched.exe

C:\Windows\eHome\EhTray.exe

"C:\Windows\eHome\EhTray.exe" /nav:-2

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Windows\system32\IEEtwCollector.exe

C:\Windows\system32\IEEtwCollector.exe /V

C:\Windows\ehome\ehRec.exe

C:\Windows\ehome\ehRec.exe -Embedding

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"

C:\Windows\System32\msdtc.exe

C:\Windows\System32\msdtc.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d4 -Comment "NGen Worker Process"

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"

C:\Windows\SysWow64\perfhost.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\system32\locator.exe

C:\Windows\system32\locator.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

"C:\Program Files\Windows Media Player\wmpnetwk.exe"

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\SearchIndexer.exe /Embedding

C:\Windows\system32\SearchProtocolHost.exe

"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"

C:\Windows\system32\SearchFilterHost.exe

"C:\Windows\system32\SearchFilterHost.exe" 0 592 596 604 65536 600

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 24c -NGENProcess 254 -Pipe 258 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 24c -NGENProcess 254 -Pipe 250 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 1d4 -NGENProcess 260 -Pipe 240 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 23c -NGENProcess 254 -Pipe 1e8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 25c -NGENProcess 268 -Pipe 1d4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 24c -NGENProcess 26c -Pipe 264 -Comment "NGen Worker Process"

C:\Windows\system32\SearchProtocolHost.exe

"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 270 -NGENProcess 268 -Pipe 244 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 278 -NGENProcess 23c -Pipe 274 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 280 -NGENProcess 260 -Pipe 27c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 248 -NGENProcess 270 -Pipe 25c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 268 -NGENProcess 280 -Pipe 23c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 268 -NGENProcess 284 -Pipe 248 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 288 -NGENProcess 290 -Pipe 1e0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 290 -NGENProcess 28c -Pipe 294 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 280 -NGENProcess 298 -Pipe 288 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 29c -NGENProcess 28c -Pipe 270 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 26c -NGENProcess 2a4 -Pipe 280 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 260 -NGENProcess 278 -Pipe 2a0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 268 -NGENProcess 28c -Pipe 24c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 28c -NGENProcess 2a8 -Pipe 2ac -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 29c -NGENProcess 298 -Pipe 284 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2b0 -NGENProcess 260 -Pipe 26c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1b0 -InterruptEvent 1e4 -NGENProcess 204 -Pipe 208 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 250 -NGENProcess 240 -Pipe 24c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 254 -NGENProcess 1dc -Pipe 230 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 258 -NGENProcess 204 -Pipe 228 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 25c -NGENProcess 240 -Pipe 200 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 204 -NGENProcess 240 -Pipe 250 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 204 -InterruptEvent 268 -NGENProcess 260 -Pipe 264 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 260 -NGENProcess 25c -Pipe 1b0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 270 -NGENProcess 240 -Pipe 1dc -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 240 -NGENProcess 268 -Pipe 26c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 278 -NGENProcess 25c -Pipe 204 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 25c -NGENProcess 270 -Pipe 274 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 280 -NGENProcess 268 -Pipe 260 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 268 -NGENProcess 278 -Pipe 27c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 288 -NGENProcess 270 -Pipe 240 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 270 -NGENProcess 280 -Pipe 284 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 290 -NGENProcess 278 -Pipe 25c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 278 -NGENProcess 288 -Pipe 28c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 298 -NGENProcess 280 -Pipe 268 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 280 -NGENProcess 290 -Pipe 294 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 2a0 -NGENProcess 288 -Pipe 270 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 288 -NGENProcess 298 -Pipe 29c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 2a8 -NGENProcess 290 -Pipe 278 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 288 -NGENProcess 2a4 -Pipe 22c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 254 -NGENProcess 2ac -Pipe 280 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 2ac -NGENProcess 2a8 -Pipe 290 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 2b8 -NGENProcess 2a4 -Pipe 2a0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 254 -NGENProcess 2c0 -Pipe 2ac -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 2b0 -NGENProcess 2a4 -Pipe 288 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 2a4 -NGENProcess 2bc -Pipe 2b8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2c8 -NGENProcess 2c0 -Pipe 1e4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2c0 -NGENProcess 2b0 -Pipe 2c4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2d0 -NGENProcess 2bc -Pipe 254 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2bc -NGENProcess 2c8 -Pipe 2cc -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2d8 -NGENProcess 2b0 -Pipe 2a4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2d0 -NGENProcess 2e0 -Pipe 2bc -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2b4 -NGENProcess 2b0 -Pipe 2c0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2e4 -NGENProcess 2d8 -Pipe 2a8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2e8 -NGENProcess 2e0 -Pipe 298 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2ec -NGENProcess 2b0 -Pipe 2d4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2f0 -NGENProcess 2d8 -Pipe 2dc -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2d8 -NGENProcess 2e8 -Pipe 2e0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2e8 -NGENProcess 2d0 -Pipe 2b0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2fc -NGENProcess 2f4 -Pipe 2e4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 2f4 -NGENProcess 2d8 -Pipe 2f8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 304 -NGENProcess 2d0 -Pipe 2f0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 304 -NGENProcess 2f4 -Pipe 300 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 2b4 -NGENProcess 2d0 -Pipe 2e8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 310 -NGENProcess 308 -Pipe 2ec -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 2c8 -NGENProcess 2d0 -Pipe 30c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 318 -NGENProcess 304 -Pipe 2d8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 31c -NGENProcess 308 -Pipe 314 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 320 -NGENProcess 2d0 -Pipe 2fc -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 324 -NGENProcess 304 -Pipe 2b4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 328 -NGENProcess 308 -Pipe 310 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 31c -NGENProcess 2d0 -Pipe 330 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 2fc -NGENProcess 32c -Pipe 318 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 32c -NGENProcess 324 -Pipe 338 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 2f4 -NGENProcess 334 -Pipe 320 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 2fc -NGENProcess 340 -Pipe 32c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 304 -NGENProcess 334 -Pipe 308 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 344 -NGENProcess 2f4 -Pipe 2d0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 348 -NGENProcess 340 -Pipe 328 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 304 -NGENProcess 350 -Pipe 344 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 31c -NGENProcess 340 -Pipe 33c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 34c -NGENProcess 358 -Pipe 304 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 324 -NGENProcess 340 -Pipe 2fc -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 35c -NGENProcess 31c -Pipe 2f4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 31c -NGENProcess 34c -Pipe 358 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 31c -NGENProcess 35c -Pipe 340 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 348 -NGENProcess 34c -Pipe 354 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 36c -NGENProcess 334 -Pipe 350 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 31c -NGENProcess 364 -Pipe 348 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 35c -NGENProcess 368 -Pipe 374 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 34c -NGENProcess 364 -Pipe 370 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 378 -NGENProcess 31c -Pipe 360 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 31c -NGENProcess 324 -Pipe 380 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 194 -NGENProcess 37c -Pipe 334 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 194 -InterruptEvent 384 -NGENProcess 34c -Pipe 36c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 388 -NGENProcess 324 -Pipe 368 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 38c -NGENProcess 37c -Pipe 35c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 37c -NGENProcess 194 -Pipe 394 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 378 -NGENProcess 390 -Pipe 31c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 38c -NGENProcess 39c -Pipe 37c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 364 -NGENProcess 390 -Pipe 34c -Comment "NGen Worker Process"

Network

Country Destination Domain Proto
US 8.8.8.8:53 pywolwnvd.biz udp
US 54.244.188.177:80 pywolwnvd.biz tcp
US 8.8.8.8:53 ssbzmoy.biz udp
SG 18.141.10.107:80 ssbzmoy.biz tcp
US 8.8.8.8:53 pywolwnvd.biz udp
US 54.244.188.177:80 pywolwnvd.biz tcp
US 8.8.8.8:53 cvgrf.biz udp
US 54.244.188.177:80 cvgrf.biz tcp
US 8.8.8.8:53 ssbzmoy.biz udp
SG 18.141.10.107:80 ssbzmoy.biz tcp
US 8.8.8.8:53 npukfztj.biz udp
US 44.221.84.105:80 npukfztj.biz tcp
US 8.8.8.8:53 przvgke.biz udp
US 34.193.97.35:80 przvgke.biz tcp
US 34.193.97.35:80 przvgke.biz tcp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 cvgrf.biz udp
US 8.8.8.8:53 knjghuig.biz udp
US 54.244.188.177:80 cvgrf.biz tcp
SG 18.141.10.107:80 knjghuig.biz tcp
US 8.8.8.8:53 npukfztj.biz udp
US 44.221.84.105:80 npukfztj.biz tcp
US 8.8.8.8:53 przvgke.biz udp
US 34.193.97.35:80 przvgke.biz tcp
US 34.193.97.35:80 przvgke.biz tcp
US 8.8.8.8:53 uhxqin.biz udp
US 8.8.8.8:53 anpmnmxo.biz udp
US 8.8.8.8:53 lpuegx.biz udp
US 8.8.8.8:53 zlenh.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 knjghuig.biz udp
SG 18.141.10.107:80 knjghuig.biz tcp
US 8.8.8.8:53 uhxqin.biz udp
US 8.8.8.8:53 anpmnmxo.biz udp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
RU 82.112.184.197:80 lpuegx.biz tcp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 vjaxhpbji.biz udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 vjaxhpbji.biz udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 xlfhhhm.biz udp
US 44.200.43.61:80 xlfhhhm.biz tcp
US 8.8.8.8:53 ifsaia.biz udp
SG 13.251.16.150:80 ifsaia.biz tcp
US 8.8.8.8:53 xlfhhhm.biz udp
US 44.200.43.61:80 xlfhhhm.biz tcp
US 8.8.8.8:53 saytjshyf.biz udp
US 3.237.86.197:80 saytjshyf.biz tcp
US 8.8.8.8:53 ifsaia.biz udp
SG 13.251.16.150:80 ifsaia.biz tcp
US 8.8.8.8:53 vcddkls.biz udp
SG 18.141.10.107:80 vcddkls.biz tcp
US 8.8.8.8:53 saytjshyf.biz udp
US 3.237.86.197:80 saytjshyf.biz tcp
US 8.8.8.8:53 fwiwk.biz udp
US 8.8.8.8:53 vcddkls.biz udp
US 34.193.97.35:80 fwiwk.biz tcp
SG 18.141.10.107:80 vcddkls.biz tcp
US 34.193.97.35:80 fwiwk.biz tcp
US 8.8.8.8:53 tbjrpv.biz udp
IE 34.246.200.160:80 tbjrpv.biz tcp
US 8.8.8.8:53 deoci.biz udp
US 54.80.154.23:80 deoci.biz tcp
US 8.8.8.8:53 gytujflc.biz udp
US 208.100.26.245:80 gytujflc.biz tcp
US 8.8.8.8:53 fwiwk.biz udp
US 34.193.97.35:80 fwiwk.biz tcp
US 8.8.8.8:53 qaynky.biz udp
SG 13.251.16.150:80 qaynky.biz tcp
US 34.193.97.35:80 fwiwk.biz tcp
US 8.8.8.8:53 tbjrpv.biz udp
IE 34.246.200.160:80 tbjrpv.biz tcp
US 8.8.8.8:53 deoci.biz udp
US 54.80.154.23:80 deoci.biz tcp
US 8.8.8.8:53 gytujflc.biz udp
US 208.100.26.245:80 gytujflc.biz tcp
US 8.8.8.8:53 bumxkqgxu.biz udp
US 44.221.84.105:80 bumxkqgxu.biz tcp
US 8.8.8.8:53 qaynky.biz udp
SG 13.251.16.150:80 qaynky.biz tcp
US 8.8.8.8:53 dwrqljrr.biz udp
US 54.244.188.177:80 dwrqljrr.biz tcp
US 8.8.8.8:53 nqwjmb.biz udp
US 35.164.78.200:80 nqwjmb.biz tcp
US 8.8.8.8:53 bumxkqgxu.biz udp
US 44.221.84.105:80 bumxkqgxu.biz tcp
US 8.8.8.8:53 ytctnunms.biz udp
US 3.94.10.34:80 ytctnunms.biz tcp
US 8.8.8.8:53 dwrqljrr.biz udp
US 54.244.188.177:80 dwrqljrr.biz tcp
US 8.8.8.8:53 myups.biz udp
US 165.160.15.20:80 myups.biz tcp
US 8.8.8.8:53 nqwjmb.biz udp
US 35.164.78.200:80 nqwjmb.biz tcp
US 8.8.8.8:53 oshhkdluh.biz udp
US 54.244.188.177:80 oshhkdluh.biz tcp
US 8.8.8.8:53 ytctnunms.biz udp
US 3.94.10.34:80 ytctnunms.biz tcp
US 8.8.8.8:53 yunalwv.biz udp
US 8.8.8.8:53 myups.biz udp
US 165.160.13.20:80 myups.biz tcp
US 8.8.8.8:53 jpskm.biz udp
US 34.211.97.45:80 jpskm.biz tcp
US 8.8.8.8:53 oshhkdluh.biz udp
US 54.244.188.177:80 oshhkdluh.biz tcp
US 8.8.8.8:53 lrxdmhrr.biz udp
US 54.244.188.177:80 lrxdmhrr.biz tcp
US 8.8.8.8:53 yunalwv.biz udp
US 8.8.8.8:53 wllvnzb.biz udp
SG 18.141.10.107:80 wllvnzb.biz tcp
US 8.8.8.8:53 jpskm.biz udp
US 34.211.97.45:80 jpskm.biz tcp
US 8.8.8.8:53 lrxdmhrr.biz udp
US 54.244.188.177:80 lrxdmhrr.biz tcp
US 8.8.8.8:53 gnqgo.biz udp
US 8.8.8.8:53 wllvnzb.biz udp
US 54.80.154.23:80 gnqgo.biz tcp
SG 18.141.10.107:80 wllvnzb.biz tcp
US 8.8.8.8:53 jhvzpcfg.biz udp
US 3.237.86.197:80 jhvzpcfg.biz tcp
US 8.8.8.8:53 acwjcqqv.biz udp
SG 18.141.10.107:80 acwjcqqv.biz tcp
US 8.8.8.8:53 gnqgo.biz udp
US 54.80.154.23:80 gnqgo.biz tcp
US 8.8.8.8:53 jhvzpcfg.biz udp
US 3.237.86.197:80 jhvzpcfg.biz tcp
US 8.8.8.8:53 acwjcqqv.biz udp
US 8.8.8.8:53 lejtdj.biz udp
SG 18.141.10.107:80 acwjcqqv.biz tcp
US 8.8.8.8:53 vyome.biz udp
US 44.213.104.86:80 vyome.biz tcp
US 8.8.8.8:53 yauexmxk.biz udp
US 54.80.154.23:80 yauexmxk.biz tcp
US 8.8.8.8:53 iuzpxe.biz udp
SG 13.251.16.150:80 iuzpxe.biz tcp
US 8.8.8.8:53 lejtdj.biz udp
US 8.8.8.8:53 vyome.biz udp
US 44.213.104.86:80 vyome.biz tcp
US 8.8.8.8:53 yauexmxk.biz udp
US 54.80.154.23:80 yauexmxk.biz tcp
US 8.8.8.8:53 sxmiywsfv.biz udp
US 8.8.8.8:53 iuzpxe.biz udp
SG 13.251.16.150:80 iuzpxe.biz tcp
SG 13.251.16.150:80 iuzpxe.biz tcp
US 8.8.8.8:53 vrrazpdh.biz udp
US 8.8.8.8:53 sxmiywsfv.biz udp
US 34.211.97.45:80 vrrazpdh.biz tcp
SG 13.251.16.150:80 sxmiywsfv.biz tcp
US 8.8.8.8:53 ftxlah.biz udp
US 34.218.204.173:80 ftxlah.biz tcp
US 8.8.8.8:53 typgfhb.biz udp
SG 13.251.16.150:80 typgfhb.biz tcp
US 8.8.8.8:53 vrrazpdh.biz udp
US 34.211.97.45:80 vrrazpdh.biz tcp
US 8.8.8.8:53 ftxlah.biz udp
US 34.218.204.173:80 ftxlah.biz tcp
US 8.8.8.8:53 esuzf.biz udp
US 8.8.8.8:53 typgfhb.biz udp
US 34.211.97.45:80 esuzf.biz tcp
SG 13.251.16.150:80 typgfhb.biz tcp
US 8.8.8.8:53 gvijgjwkh.biz udp
US 3.94.10.34:80 gvijgjwkh.biz tcp
US 8.8.8.8:53 qpnczch.biz udp
US 8.8.8.8:53 esuzf.biz udp
US 34.211.97.45:80 esuzf.biz tcp
US 8.8.8.8:53 gvijgjwkh.biz udp
US 3.94.10.34:80 gvijgjwkh.biz tcp
US 44.213.104.86:80 qpnczch.biz tcp
US 8.8.8.8:53 qpnczch.biz udp
US 8.8.8.8:53 brsua.biz udp
US 44.213.104.86:80 qpnczch.biz tcp
IE 3.254.94.185:80 brsua.biz tcp
US 8.8.8.8:53 brsua.biz udp
IE 3.254.94.185:80 brsua.biz tcp
US 8.8.8.8:53 dlynankz.biz udp
DE 85.214.228.140:80 dlynankz.biz tcp
US 8.8.8.8:53 oflybfv.biz udp
US 44.200.43.61:80 oflybfv.biz tcp
US 8.8.8.8:53 dlynankz.biz udp
DE 85.214.228.140:80 dlynankz.biz tcp
US 8.8.8.8:53 oflybfv.biz udp
US 44.200.43.61:80 oflybfv.biz tcp
US 8.8.8.8:53 yhqqc.biz udp
US 34.211.97.45:80 yhqqc.biz tcp
US 8.8.8.8:53 yhqqc.biz udp
US 8.8.8.8:53 mnjmhp.biz udp
US 34.211.97.45:80 yhqqc.biz tcp
US 44.200.43.61:80 mnjmhp.biz tcp
US 8.8.8.8:53 mnjmhp.biz udp
US 44.200.43.61:80 mnjmhp.biz tcp
US 8.8.8.8:53 opowhhece.biz udp
US 18.208.156.248:80 opowhhece.biz tcp
US 8.8.8.8:53 zjbpaao.biz udp
US 8.8.8.8:53 jdhhbs.biz udp
SG 13.251.16.150:80 jdhhbs.biz tcp
US 8.8.8.8:53 mgmsclkyu.biz udp
IE 34.246.200.160:80 mgmsclkyu.biz tcp
US 8.8.8.8:53 warkcdu.biz udp
SG 18.141.10.107:80 warkcdu.biz tcp
US 8.8.8.8:53 gcedd.biz udp
SG 13.251.16.150:80 gcedd.biz tcp
US 8.8.8.8:53 jwkoeoqns.biz udp
US 18.208.156.248:80 jwkoeoqns.biz tcp
US 8.8.8.8:53 xccjj.biz udp
US 44.213.104.86:80 xccjj.biz tcp
US 8.8.8.8:53 hehckyov.biz udp
US 44.221.84.105:80 hehckyov.biz tcp
US 8.8.8.8:53 rynmcq.biz udp
US 54.244.188.177:80 rynmcq.biz tcp
US 8.8.8.8:53 uaafd.biz udp
IE 3.254.94.185:80 uaafd.biz tcp
US 8.8.8.8:53 eufxebus.biz udp
SG 18.141.10.107:80 eufxebus.biz tcp
US 8.8.8.8:53 pwlqfu.biz udp
IE 34.246.200.160:80 pwlqfu.biz tcp
US 8.8.8.8:53 rrqafepng.biz udp
US 44.200.43.61:80 rrqafepng.biz tcp
US 8.8.8.8:53 ctdtgwag.biz udp
US 3.94.10.34:80 ctdtgwag.biz tcp
US 8.8.8.8:53 tnevuluw.biz udp
US 35.164.78.200:80 tnevuluw.biz tcp
US 8.8.8.8:53 whjovd.biz udp
SG 18.141.10.107:80 whjovd.biz tcp
US 8.8.8.8:53 opowhhece.biz udp
US 18.208.156.248:80 opowhhece.biz tcp
US 8.8.8.8:53 gjogvvpsf.biz udp
US 8.8.8.8:53 reczwga.biz udp
US 3.237.86.197:80 reczwga.biz tcp
US 8.8.8.8:53 bghjpy.biz udp
US 34.211.97.45:80 bghjpy.biz tcp
US 8.8.8.8:53 damcprvgv.biz udp
US 54.80.154.23:80 damcprvgv.biz tcp
US 8.8.8.8:53 ocsvqjg.biz udp
IE 3.254.94.185:80 ocsvqjg.biz tcp
US 8.8.8.8:53 ywffr.biz udp
US 54.244.188.177:80 ywffr.biz tcp
US 8.8.8.8:53 ecxbwt.biz udp
US 54.244.188.177:80 ecxbwt.biz tcp
US 8.8.8.8:53 zjbpaao.biz udp
US 8.8.8.8:53 jdhhbs.biz udp
SG 13.251.16.150:80 jdhhbs.biz tcp
US 8.8.8.8:53 pectx.biz udp
US 44.213.104.86:80 pectx.biz tcp
US 8.8.8.8:53 zyiexezl.biz udp
US 54.80.154.23:80 zyiexezl.biz tcp
US 8.8.8.8:53 banwyw.biz udp
US 3.237.86.197:80 banwyw.biz tcp
US 8.8.8.8:53 muapr.biz udp
US 8.8.8.8:53 mgmsclkyu.biz udp
US 8.8.8.8:53 wxgzshna.biz udp
IE 34.246.200.160:80 mgmsclkyu.biz tcp
US 8.8.8.8:53 zrlssa.biz udp
US 3.237.86.197:80 zrlssa.biz tcp
US 8.8.8.8:53 warkcdu.biz udp
US 8.8.8.8:53 jlqltsjvh.biz udp
SG 18.141.10.107:80 jlqltsjvh.biz tcp
SG 18.141.10.107:80 jlqltsjvh.biz tcp
US 8.8.8.8:53 gcedd.biz udp
US 8.8.8.8:53 xyrgy.biz udp
SG 13.251.16.150:80 gcedd.biz tcp
US 54.80.154.23:80 xyrgy.biz tcp
US 8.8.8.8:53 htwqzczce.biz udp
US 54.157.24.8:80 htwqzczce.biz tcp
US 54.157.24.8:80 htwqzczce.biz tcp
US 8.8.8.8:53 kvbjaur.biz udp
US 54.244.188.177:80 kvbjaur.biz tcp
US 8.8.8.8:53 jwkoeoqns.biz udp
US 18.208.156.248:80 jwkoeoqns.biz tcp
US 8.8.8.8:53 uphca.biz udp
US 44.221.84.105:80 uphca.biz tcp
US 8.8.8.8:53 xccjj.biz udp
US 44.213.104.86:80 xccjj.biz tcp
US 8.8.8.8:53 fjumtfnz.biz udp
US 34.211.97.45:80 fjumtfnz.biz tcp
US 8.8.8.8:53 hehckyov.biz udp
US 44.221.84.105:80 hehckyov.biz tcp
US 8.8.8.8:53 rynmcq.biz udp
US 54.244.188.177:80 rynmcq.biz tcp
US 8.8.8.8:53 hlzfuyy.biz udp
US 34.211.97.45:80 hlzfuyy.biz tcp
US 8.8.8.8:53 uaafd.biz udp
IE 3.254.94.185:80 uaafd.biz tcp
US 8.8.8.8:53 rffxu.biz udp
IE 34.246.200.160:80 rffxu.biz tcp
US 8.8.8.8:53 eufxebus.biz udp
SG 18.141.10.107:80 eufxebus.biz tcp
US 8.8.8.8:53 cikivjto.biz udp
US 44.213.104.86:80 cikivjto.biz tcp
US 8.8.8.8:53 qncdaagct.biz udp
US 34.218.204.173:80 qncdaagct.biz tcp
US 8.8.8.8:53 shpwbsrw.biz udp
SG 13.251.16.150:80 shpwbsrw.biz tcp
US 8.8.8.8:53 pwlqfu.biz udp
IE 34.246.200.160:80 pwlqfu.biz tcp
US 8.8.8.8:53 rrqafepng.biz udp
US 44.200.43.61:80 rrqafepng.biz tcp
US 8.8.8.8:53 ctdtgwag.biz udp
US 3.94.10.34:80 ctdtgwag.biz tcp
US 8.8.8.8:53 tnevuluw.biz udp
US 35.164.78.200:80 tnevuluw.biz tcp
US 8.8.8.8:53 cjvgcl.biz udp
US 54.80.154.23:80 cjvgcl.biz tcp
US 8.8.8.8:53 neazudmrq.biz udp
US 3.237.86.197:80 neazudmrq.biz tcp
US 8.8.8.8:53 whjovd.biz udp
SG 18.141.10.107:80 whjovd.biz tcp
US 8.8.8.8:53 crl.microsoft.com udp
NL 23.63.101.170:80 crl.microsoft.com tcp
US 8.8.8.8:53 pgfsvwx.biz udp
US 54.80.154.23:80 pgfsvwx.biz tcp
US 8.8.8.8:53 aatcwo.biz udp
US 34.218.204.173:80 aatcwo.biz tcp
US 8.8.8.8:53 kcyvxytog.biz udp
US 18.208.156.248:80 kcyvxytog.biz tcp
US 8.8.8.8:53 gjogvvpsf.biz udp
US 8.8.8.8:53 reczwga.biz udp
US 3.237.86.197:80 reczwga.biz tcp
US 8.8.8.8:53 bghjpy.biz udp
US 34.211.97.45:80 bghjpy.biz tcp
US 8.8.8.8:53 nwdnxrd.biz udp
US 54.244.188.177:80 nwdnxrd.biz tcp
US 8.8.8.8:53 damcprvgv.biz udp
US 54.80.154.23:80 damcprvgv.biz tcp
US 8.8.8.8:53 ereplfx.biz udp
US 44.213.104.86:80 ereplfx.biz tcp
US 8.8.8.8:53 ocsvqjg.biz udp
IE 3.254.94.185:80 ocsvqjg.biz tcp
US 8.8.8.8:53 ptrim.biz udp
SG 18.141.10.107:80 ptrim.biz tcp
US 8.8.8.8:53 ywffr.biz udp
US 54.244.188.177:80 ywffr.biz tcp
US 8.8.8.8:53 ecxbwt.biz udp
US 54.244.188.177:80 ecxbwt.biz tcp
US 8.8.8.8:53 pectx.biz udp
US 44.213.104.86:80 pectx.biz tcp
US 8.8.8.8:53 znwbniskf.biz udp
US 34.218.204.173:80 znwbniskf.biz tcp
US 8.8.8.8:53 zyiexezl.biz udp
US 54.80.154.23:80 zyiexezl.biz tcp
US 8.8.8.8:53 banwyw.biz udp
US 3.237.86.197:80 banwyw.biz tcp
US 8.8.8.8:53 cpclnad.biz udp
US 3.237.86.197:80 cpclnad.biz tcp
US 8.8.8.8:53 muapr.biz udp
US 8.8.8.8:53 wxgzshna.biz udp
US 8.8.8.8:53 zrlssa.biz udp
US 3.237.86.197:80 zrlssa.biz tcp
US 8.8.8.8:53 mjheo.biz udp
US 3.237.86.197:80 mjheo.biz tcp
US 8.8.8.8:53 jlqltsjvh.biz udp
SG 18.141.10.107:80 jlqltsjvh.biz tcp
US 8.8.8.8:53 wluwplyh.biz udp
SG 18.141.10.107:80 wluwplyh.biz tcp
US 8.8.8.8:53 xyrgy.biz udp
US 54.80.154.23:80 xyrgy.biz tcp
US 8.8.8.8:53 zgapiej.biz udp
US 18.208.156.248:80 zgapiej.biz tcp
US 8.8.8.8:53 htwqzczce.biz udp
US 34.193.97.35:80 htwqzczce.biz tcp
US 8.8.8.8:53 jifai.biz udp
US 44.221.84.105:80 jifai.biz tcp
US 34.193.97.35:80 htwqzczce.biz tcp
US 8.8.8.8:53 xnxvnn.biz udp
SG 13.251.16.150:80 xnxvnn.biz tcp
US 8.8.8.8:53 kvbjaur.biz udp
US 54.244.188.177:80 kvbjaur.biz tcp
US 8.8.8.8:53 uphca.biz udp
US 44.221.84.105:80 uphca.biz tcp
US 8.8.8.8:53 fjumtfnz.biz udp
US 34.211.97.45:80 fjumtfnz.biz tcp
US 8.8.8.8:53 ihcnogskt.biz udp
US 35.164.78.200:80 ihcnogskt.biz tcp
US 8.8.8.8:53 hlzfuyy.biz udp
US 34.211.97.45:80 hlzfuyy.biz tcp
US 8.8.8.8:53 kkqypycm.biz udp
SG 18.141.10.107:80 kkqypycm.biz tcp
US 8.8.8.8:53 rffxu.biz udp
IE 34.246.200.160:80 rffxu.biz tcp
US 8.8.8.8:53 cikivjto.biz udp
US 44.213.104.86:80 cikivjto.biz tcp
US 8.8.8.8:53 qncdaagct.biz udp
US 34.218.204.173:80 qncdaagct.biz tcp
US 8.8.8.8:53 uevrpr.biz udp
US 44.213.104.86:80 uevrpr.biz tcp
US 8.8.8.8:53 shpwbsrw.biz udp
SG 13.251.16.150:80 shpwbsrw.biz tcp
US 8.8.8.8:53 fgajqjyhr.biz udp
US 34.211.97.45:80 fgajqjyhr.biz tcp
US 8.8.8.8:53 hagujcj.biz udp
US 18.208.156.248:80 hagujcj.biz tcp
US 8.8.8.8:53 sctmku.biz udp
US 35.164.78.200:80 sctmku.biz tcp
US 8.8.8.8:53 cjvgcl.biz udp
US 54.80.154.23:80 cjvgcl.biz tcp
US 8.8.8.8:53 neazudmrq.biz udp
US 3.237.86.197:80 neazudmrq.biz tcp
US 8.8.8.8:53 cwyfknmwh.biz udp
US 8.8.8.8:53 qcrsp.biz udp
US 34.211.97.45:80 qcrsp.biz tcp
US 8.8.8.8:53 pgfsvwx.biz udp
US 54.80.154.23:80 pgfsvwx.biz tcp
US 8.8.8.8:53 sewlqwcd.biz udp
US 3.237.86.197:80 sewlqwcd.biz tcp
US 8.8.8.8:53 dyjdrp.biz udp
US 54.244.188.177:80 dyjdrp.biz tcp
US 8.8.8.8:53 aatcwo.biz udp
US 34.218.204.173:80 aatcwo.biz tcp
US 8.8.8.8:53 napws.biz udp
US 35.164.78.200:80 napws.biz tcp
US 8.8.8.8:53 kcyvxytog.biz udp
US 18.208.156.248:80 kcyvxytog.biz tcp
US 8.8.8.8:53 nwdnxrd.biz udp
US 54.244.188.177:80 nwdnxrd.biz tcp
US 8.8.8.8:53 qvuhsaqa.biz udp
US 54.244.188.177:80 qvuhsaqa.biz tcp
US 8.8.8.8:53 ereplfx.biz udp
US 44.213.104.86:80 ereplfx.biz tcp
US 8.8.8.8:53 apzzls.biz udp
US 34.211.97.45:80 apzzls.biz tcp
US 8.8.8.8:53 ptrim.biz udp
SG 18.141.10.107:80 ptrim.biz tcp
US 8.8.8.8:53 krnsmlmvd.biz udp
US 34.218.204.173:80 krnsmlmvd.biz tcp
US 8.8.8.8:53 nlscndwp.biz udp
US 54.244.188.177:80 nlscndwp.biz tcp
US 8.8.8.8:53 znwbniskf.biz udp
US 34.218.204.173:80 znwbniskf.biz tcp
US 8.8.8.8:53 bzkysubds.biz udp
US 3.94.10.34:80 bzkysubds.biz tcp
US 8.8.8.8:53 cpclnad.biz udp
US 8.8.8.8:53 ltpqsnu.biz udp
US 3.237.86.197:80 cpclnad.biz tcp
US 54.80.154.23:80 ltpqsnu.biz tcp
US 8.8.8.8:53 mjheo.biz udp
US 8.8.8.8:53 vnvbt.biz udp
US 3.237.86.197:80 mjheo.biz tcp
US 44.213.104.86:80 vnvbt.biz tcp
US 8.8.8.8:53 wluwplyh.biz udp
SG 18.141.10.107:80 wluwplyh.biz tcp
US 8.8.8.8:53 ypituyqsq.biz udp
US 3.94.10.34:80 ypituyqsq.biz tcp
US 8.8.8.8:53 ijnmvqa.biz udp
US 35.164.78.200:80 ijnmvqa.biz tcp
US 8.8.8.8:53 tltxn.biz udp
US 54.80.154.23:80 tltxn.biz tcp
US 8.8.8.8:53 zgapiej.biz udp
US 8.8.8.8:53 vgypotwp.biz udp
US 18.208.156.248:80 zgapiej.biz tcp
US 54.244.188.177:80 vgypotwp.biz tcp
US 8.8.8.8:53 jifai.biz udp
US 44.221.84.105:80 jifai.biz tcp
US 8.8.8.8:53 xnxvnn.biz udp
SG 13.251.16.150:80 xnxvnn.biz tcp
US 8.8.8.8:53 giliplg.biz udp
US 44.213.104.86:80 giliplg.biz tcp
US 8.8.8.8:53 pywolwnvd.biz udp
US 54.244.188.177:80 pywolwnvd.biz tcp
US 8.8.8.8:53 ssbzmoy.biz udp
SG 18.141.10.107:80 ssbzmoy.biz tcp
US 8.8.8.8:53 ihcnogskt.biz udp
US 35.164.78.200:80 ihcnogskt.biz tcp
US 8.8.8.8:53 kkqypycm.biz udp
SG 18.141.10.107:80 kkqypycm.biz tcp

Files

memory/1208-0-0x0000000002220000-0x0000000002287000-memory.dmp

memory/1208-5-0x0000000002220000-0x0000000002287000-memory.dmp

memory/1208-9-0x0000000000400000-0x0000000001EFA000-memory.dmp

C:\Windows\System32\alg.exe

MD5 b539279e4d38f98c466e8471cdf9b404
SHA1 5e32b880de87d8e0e142aef1cf3241ab9cfea915
SHA256 e387496e8f2f00cc115325e80fd62e725f10447b4b55e31c841aadca110c683d
SHA512 5a79ed90008c87ed87748914e44b963eb7bca59eadcdd979de05ef025b1a0ae110f7eb02f40bef19b25dfc075cc733d94a4d1d34f8aae64e5ae18108861acd49

memory/2564-18-0x00000000008E0000-0x0000000000940000-memory.dmp

memory/2564-19-0x0000000100000000-0x00000001000A4000-memory.dmp

memory/2564-12-0x00000000008E0000-0x0000000000940000-memory.dmp

\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

MD5 986ba8bb2750db9389ecb7053fe27d64
SHA1 00f22e845e8c6bbe4dd6ae51284774d92abca1df
SHA256 95ffba995af18bbab8691318132e53e64168cad0104a32b58ae4631272b3c929
SHA512 b6cbba0c216d601bea5af96d41432d01545203560f2fa1b48b55abe9a25d51a4497d243a780595b4300c980985e5e3c87cda7195f4b9282867dea3e888f214f8

memory/2492-25-0x0000000140000000-0x000000014009D000-memory.dmp

memory/2492-26-0x0000000000860000-0x00000000008C0000-memory.dmp

memory/2492-32-0x0000000000860000-0x00000000008C0000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

MD5 91150f26c4c8f1086b13fabe08285637
SHA1 7e6ed901fbce931401179916ffe72b0b15fc0a1d
SHA256 6eca5ecde3640773fe64e34c9011a654080af242596e9a6702976508f526650f
SHA512 cb6d980da81fa892acc69a66a1c2c180137e3f6f78f66132dd7d4ab29f228297a9e8330f6dc16a906c1fb64dbd273904365e08c735c4559ef4b92be39666f616

memory/2604-36-0x0000000010000000-0x000000001009F000-memory.dmp

memory/2604-37-0x00000000009C0000-0x0000000000A27000-memory.dmp

memory/2604-42-0x00000000009C0000-0x0000000000A27000-memory.dmp

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

MD5 b4638f54647875bbfafdd2582e49b7c5
SHA1 cad6002d75e27390c1b1dc79c5ddf50d92a8cf8f
SHA256 4eb298cec010f7756c061bfec33bd5905c2d4ff26d406821e7caf771e52ea245
SHA512 a7fc42c092e904140c36595c66523098551af1c364e61656fe0bc9c88eac394c57a3f539ad4d6dee0fe36bee9289993cb5225e7412b8af56229f7758e0e7aaff

memory/3052-50-0x00000000003F0000-0x0000000000450000-memory.dmp

memory/3052-56-0x00000000003F0000-0x0000000000450000-memory.dmp

memory/3052-61-0x0000000010000000-0x00000000100A7000-memory.dmp

memory/1208-59-0x0000000000400000-0x0000000001EFA000-memory.dmp

memory/1732-67-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

MD5 5fd83885b71811123d4aa12b16789411
SHA1 7df4ec6c687511928f1eec31f9a7559f08ecfb1e
SHA256 c9fa7533f944222356bd3d8e2e5f8fca7e47e8c3cd8c3245d1d7156f49162262
SHA512 237257ee8979780f5637fed781eb1bd4765ccbb70c23811838dd5cad6ad55fac12f3ea1b12dbcd8b0d7b37a694b3369b133fe60af273ffac5e47d1fe8d308ed4

memory/1732-68-0x0000000000230000-0x0000000000297000-memory.dmp

memory/1732-74-0x0000000000230000-0x0000000000297000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

MD5 8b4b1e0b3d31c8d3ef228a324a90351c
SHA1 e999be4f3582570248c79cd6555d127fa3bed4a2
SHA256 ec2907447ca48f7de4e16401d88f86f7e4ade6ec28626026d569474f833ede1d
SHA512 2265db41734c2e3753e7e51100dba18e8ff88abb3d42f55780cafee713c5061a930b556a68649c49443fc9367c45a46d830ba17f4bddbe713966dd5e04635172

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

MD5 cc2b29df4056c16ea21d583795065dcc
SHA1 f36dddc5a278e3998ece95344f2bb555c027c1d0
SHA256 e00c115e019b078ba6938e723051cc18beedfbfdd90f2a3f5b05b257956be999
SHA512 47aaea005c4197dab51f7ac432ab701625cbf046ce953afafc699f9979714702d05ec2a52afa0b6a51cc04bff794e44a9bcd4b04b21974ea32386e283f25e485

memory/3012-91-0x0000000140000000-0x00000001400AE000-memory.dmp

memory/3012-89-0x0000000000A70000-0x0000000000AD0000-memory.dmp

memory/3012-83-0x0000000000A70000-0x0000000000AD0000-memory.dmp

memory/2604-95-0x0000000010000000-0x000000001009F000-memory.dmp

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

MD5 fcc00f0d5b1d1078ab706422a88c43cc
SHA1 02e4a35fde91061fb06346742b937867f5412d20
SHA256 0f5499e33d9d056b0ac605041ddfb37bbfb154604077583077db813d58eebbed
SHA512 e77388b3e810dad3968d1a35bb019466fd807f5e46fb6ef4aead1840b8793f5a505f8e6a2b2ecb38e7373f31cacb5ae76b9e4607b776de94f8d0e4e48d4451d1

C:\Windows\System32\dllhost.exe

MD5 1390791141c0d1c411e29d4f53c39f4f
SHA1 69eedd05e046ee5d362d363ba5c9f207a251b842
SHA256 11d2f0a2203e9311757de5cd297713183bb9525f2058c8cf8cb987fb00f083c9
SHA512 ef893116a2f5783374f2896e139042a3e0fc775d5daf2463f31e331c69a4068934f982269a760437a3d46408d7ba14105471199927f2c9d29bc68b61b2377d1c

memory/2624-109-0x0000000100000000-0x0000000100095000-memory.dmp

memory/2624-103-0x0000000000310000-0x0000000000370000-memory.dmp

memory/2624-110-0x0000000000310000-0x0000000000370000-memory.dmp

\Windows\ehome\ehrecvr.exe

MD5 3abc70ae2246a9a4fd16b854a0b97c3e
SHA1 d23ad93730a785034d392e94f815f705f6c6085d
SHA256 e1cf6e0cde105ed7490604e60c9dc98847d97528ba5fab1dc65e8034795f3aa6
SHA512 f637768541cf1bbf9b352d9c5d80fcbd099249a21238270e73c34821a719a25142467210ccc70d0fe73ca1b7c838eefd6f28051d428ef1048b94c3f4225ca60b

memory/2564-118-0x0000000100000000-0x00000001000A4000-memory.dmp

memory/2428-119-0x0000000140000000-0x000000014013C000-memory.dmp

\Windows\ehome\ehsched.exe

MD5 543d5ff2b66034e1811cb563e5a57663
SHA1 a92f2e9931fa6f2dbcd409c94ec4b90abc2ba5c5
SHA256 ea14344e4136325da87548422c9991e0b7432e7cd99f75b951327224b6f49bc0
SHA512 c1c0455901af5978a4ca2f8054892b81db3b4deda2db663c4be5f56f85333d5abe103e078270b428421ed0be2066d55c528f600f956efcab7bd259681c6e11b5

memory/1728-133-0x0000000140000000-0x00000001400B2000-memory.dmp

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

MD5 e9cccaff9e78424d382a78da868cf485
SHA1 e816229d61c12082bdb793c9ad71157be0b9b044
SHA256 c1ddf404b43aa6fd4d98fe63cbd1e3e4edfeed8d63afac339db1356514633a08
SHA512 3c5a78b0702b00d6a9b810ed110ce2cc9dcb915f90f21000a58739dddb1056d7349347aad52eaa1b41e286b454c255572c8501a38280de5851cbe5bf4be7f3f2

memory/2492-145-0x0000000140000000-0x000000014009D000-memory.dmp

memory/1532-154-0x0000000140000000-0x0000000140237000-memory.dmp

\Windows\System32\ieetwcollector.exe

MD5 a09550eeefe45c2321a39f11d76dffaf
SHA1 b4dbc8f43b80c682264ec7f1510e942cd10b5098
SHA256 3f29ce373c4c0a0c1eb6ef5f044396b0350d6e7d250724f5174227adfd8b21d0
SHA512 5580e0b2b7e6b0cb9bff5e5bdaffaf6d1ffe73d96ddb544eb1856d3a42d74e10c18f63126d255dc2a4e46cbf9741a343314cd08b83fccec14d880908cdc9cbc2

memory/1832-158-0x0000000140000000-0x00000001400AE000-memory.dmp

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

MD5 718a092503c96cbd59e954f3168f306c
SHA1 75c6784e04a99b644e8a765baba6faefca56b893
SHA256 8d119ae6bd094b141a190716ab7518b5960f9b1706691d04e3c911ec7a4e14dc
SHA512 f91215db9d9c5f297e46f23041c4b7dfcc845cc189dda943be82eec47f7b7ac1182a8d106ce9a2afc3c1fe38618a80417fe4e68db3ff8a1f3273cfa9701a54e0

memory/1660-177-0x000000002E000000-0x000000002FE1E000-memory.dmp

memory/3040-185-0x0000000140000000-0x00000001400CA000-memory.dmp

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

MD5 ce2c6d4b96d28a7a797d59daa047c132
SHA1 6c388cd11b2f0a4c58591332586fc6222632e087
SHA256 7bff9cfbed75226c0a5ce5c6b9d44d2de04414143257ebffd2b62f7b61a495a3
SHA512 d1402798da69dfabf757f66d0fa3c082d23a69613a5cc9865c7345764d7298088166bf649b9afecd1edad141a5c899ba7b54073ed9d98cf0f44a13fb0201d504

\Windows\System32\msdtc.exe

MD5 a06e5fc4b3cec57fd253d609ee3eed99
SHA1 268eab3c70cbf77a258355074b9f42de7df81d72
SHA256 716ebcde6f5467ab7c37d3d3e1e8e40eaaf46b4075d52f1124c09311b28dd0ed
SHA512 703420d532c03eb656417766ed5b3d00d7e0945cdac3351c498064feb24fc134ac30210f9f6a8f12e96a25bd29113e71acd8613914e33370f91bfbb5485c891a

memory/2704-195-0x0000000140000000-0x00000001400B6000-memory.dmp

memory/1732-194-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/3012-213-0x0000000140000000-0x00000001400AE000-memory.dmp

memory/3040-217-0x0000000140000000-0x00000001400CA000-memory.dmp

memory/2680-214-0x0000000140000000-0x00000001400AE000-memory.dmp

\Windows\System32\msiexec.exe

MD5 220f75bf21bd0f13785dfb70ddc408a9
SHA1 7589f880f37601f3eade8aa912e95d8c3774ee2f
SHA256 866b0df349f1f4a29b516ded6e19eb7abaf4470859f5896b92723c8eddd5ca8a
SHA512 06bae87c0aa420d66c4b70c862356bc35fa8021e0503f6ae16a5ba6fa244caf719ca4817739e13d5617311a4e56efce5f479eb8d049f0186cdf88e2923fdbb63

memory/2328-224-0x0000000100000000-0x00000001000B2000-memory.dmp

memory/2624-223-0x0000000100000000-0x0000000100095000-memory.dmp

memory/2328-235-0x00000000003B0000-0x0000000000462000-memory.dmp

memory/2428-232-0x0000000140000000-0x000000014013C000-memory.dmp

memory/1728-240-0x0000000140000000-0x00000001400B2000-memory.dmp

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

MD5 27d78cbf9db39aac84c652bead8fa587
SHA1 c579d4be851e090e3c79b3a8f96a00d1f3dea19f
SHA256 a4a25083bf43f730dabbd562965f843d838b6e86a6455acb449b86d45ba4adda
SHA512 5d9f49a55aa2a0c583810628dfa5bc50bf2630bb2267c879d732eeb78bb5c49f7c96f0ca570886938cad1a2536bc3c001120c1cfb0e715c2a4cbf73fe0fa19d5

memory/2332-248-0x000000002E000000-0x000000002E0B5000-memory.dmp

memory/1532-251-0x0000000140000000-0x0000000140237000-memory.dmp

memory/2508-252-0x0000000140000000-0x00000001400AE000-memory.dmp

memory/2680-256-0x0000000140000000-0x00000001400AE000-memory.dmp

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

MD5 32182ae49a467346baca48cca1461226
SHA1 5dedb4e72e463125820e73fe3171757280d2ae2a
SHA256 425744591984b32c108a019b32f00335bc8cf1c1b3580c420f9c15349e7e4348
SHA512 471c57ce325fd9a3882efd6b52df63fcb0b6e832ede8fd341a083f16feb47dcd4ea7f8aa91ed1288e3d11dcd8249b9cbbda71542ed36eaa61707dca43f0dea6f

memory/1832-266-0x0000000140000000-0x00000001400AE000-memory.dmp

memory/2724-275-0x0000000100000000-0x0000000100542000-memory.dmp

C:\Windows\System32\Locator.exe

MD5 4ac72504f37df801006d6d7cdfdb1e93
SHA1 0166fb6cdbbf9d30a69e470e3e33f3bc02da0357
SHA256 febe0cecd1db444bd8fcf78fb8352d2ba7588de6b9dbcbf7100ae69a250eea5e
SHA512 1760d40708a2614aa9156d1cda2d73ac1856e028c473ba97e52d07ed5bf2975151dd15dbffaaa07406634ff37531dfee276f952e8e5a6b7123168f2f0a339fe3

C:\Windows\SysWOW64\perfhost.exe

MD5 fe1fe129ed3b705eba51064d13d7ab09
SHA1 5ad77c5ea83848cafbd6cf2a95f0e89bb768522a
SHA256 b9625e157897c81e4e83fbdde916729e1f890a6d3adcd90b06aef44529a385bc
SHA512 9b3c011ec0a1b16fb630386062f6271dfbaff1db90c7dc193a0404092c2607f6dddbb0792314e24924f055eba792b38d3e062c1bdda63b7e068b670ca355aefc

\Windows\System32\snmptrap.exe

MD5 c3f192c4b5d0e8dd8911f8c441277218
SHA1 969a68fc0bbd6afcf1cb5cdcce6e0ea4079436c7
SHA256 af6e93ba1d10e3f0a8b61a52897618726fd54a46ee08942f9b9a0eec2c5f845c
SHA512 c0c7e7b1b2b8204908691408392cd907762371eed4d1f4b143418db18c7961a11a3c459ea131ea5b0c18d2148800b6f3bd6bb48cbaa72ee688aeeac92df1b48f

C:\Windows\System32\vds.exe

MD5 56984312ce250e7ee0cfb036c3cb036f
SHA1 75519980f946755a5d35e9415dff7e8880414028
SHA256 a6409cb04b9c52a76b62ea950eacaeb8d70ff07cd29ba22d555aa959a3ff0206
SHA512 86511dad07fe500f59da9af4e9a5a297686f974a2541c7424cb1501c8820b1ca427634520cecec513adba537461a5d5ed4ae37aa287f535a01808dc0b3f5e4e6

memory/1660-318-0x000000002E000000-0x000000002FE1E000-memory.dmp

memory/3016-327-0x0000000100000000-0x0000000100095000-memory.dmp

C:\Windows\System32\wbengine.exe

MD5 c39edf361dc7d60e6793642866731615
SHA1 b00b982b534fe994e542e85dddb3da1b812dbe50
SHA256 599f32f6f359160177632fbc5f97a0effe9c91089e4509480e43e4d2c15fbd37
SHA512 299354f63de39c5f49c2c8500a0918a659384fb989b5022bcb8ae781a87bd6d0ad98b512372184b6d04c012843d53f64a9ca9ed5e290b7bed5890504b31d2905

memory/2688-332-0x0000000100000000-0x0000000100219000-memory.dmp

memory/2060-331-0x0000000100000000-0x0000000100096000-memory.dmp

memory/2480-330-0x0000000100000000-0x0000000100114000-memory.dmp

memory/964-320-0x0000000001000000-0x0000000001096000-memory.dmp

C:\Windows\System32\VSSVC.exe

MD5 4b36ea9fade5ce76e72c06856c372ed7
SHA1 98e47a96ab7f5a128cdaf4926c624014250179a6
SHA256 386a4738a80201ac7ee0cbd3854e45795d36ef1e0bc87f32dd8561ebae2807b1
SHA512 c9a5fd14849923d6ea2387f3b22b6c6ee4b447b59ca9c597e794007f731ed4f11e1a7463c8f389ceae97fe25314fe4636173c30bc4cb105b26a6a7d72c70a3bb

memory/1968-345-0x0000000100000000-0x0000000100202000-memory.dmp

\Windows\System32\wbem\WmiApSrv.exe

MD5 822826d1584f29513a5635bf4a376480
SHA1 791b3e69cdef0b7acc60470fa731d772219ac5b1
SHA256 633a1eebbc7b88ee54c76538178a4ec86c160658d7e59f3363c5e9783db02677
SHA512 577026b7390e4fe467785798600a5f3748d4c91c8d2b9bd5ca5b06fea20250a29bf013f4f8349d99450b13e21da34b028bbee6883f8007e12661d4d05343a298

memory/2224-357-0x0000000100000000-0x00000001000C4000-memory.dmp

memory/2704-356-0x0000000140000000-0x00000001400B6000-memory.dmp

C:\Program Files\Windows Media Player\wmpnetwk.exe

MD5 ad22841c27e8d466a36b662e68501507
SHA1 e8f48b17717f80c8ace637b8559fd752416a0355
SHA256 9510dd0bd8d9747f2bbcef39bb46ff37c5b4aee2c8a9d7db802f360bdd55895b
SHA512 7be7dd544dd756cfdf54727c2e202aa6357dd591e8635580e14b26e452a34e2a05bde030539eeb53ea4bc824b435fa7a0838491375f343d63182b34e1aa029c2

memory/576-369-0x0000000100000000-0x000000010020A000-memory.dmp

C:\Windows\System32\SearchIndexer.exe

MD5 12dda0db7c3094a2d2c7fd19d81d81b8
SHA1 5a8f46df3821c10804846e6e8b8e6e3d2dc0adb6
SHA256 b18e19145f70737e13d1dec5219201e40c7a05450a3ec08baf190606a2d21a71
SHA512 a6c005e2c7aa511d641869955ec400c4e84367b0725b201d4cb93d165d57f4a9b4266b184806306d7839b30e47b0739ef9f7d2a0fe8ae5998449be38add4a9bd

memory/1680-382-0x0000000100000000-0x0000000100123000-memory.dmp

memory/2328-381-0x0000000100000000-0x00000001000B2000-memory.dmp

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

MD5 e4e8bd22f7cb41cb482ed6d096f5454a
SHA1 fd9e9fbb155380f3cebd918891f934e7e2b9939f
SHA256 4e7e364eb559c776fce47c248d882a8f06d7dacc08355e2254d1893c742042e7
SHA512 a7e93e1d162fe82c3ee30d315777bee259ea8bf362fe6309b18a5c7b28bd311fbcefb14442b1618e8d75e37faf03ac9542b1969c15b503aa589e128ee9b4d93a

memory/2508-537-0x0000000140000000-0x00000001400AE000-memory.dmp

memory/1420-554-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2328-553-0x00000000003B0000-0x0000000000462000-memory.dmp

memory/1776-558-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1420-568-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2332-557-0x000000002E000000-0x000000002E0B5000-memory.dmp

memory/2628-579-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1776-582-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2628-611-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2724-614-0x0000000100000000-0x0000000100542000-memory.dmp

memory/1420-616-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2480-615-0x0000000100000000-0x0000000100114000-memory.dmp

memory/1420-622-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2688-647-0x0000000100000000-0x0000000100219000-memory.dmp

memory/528-648-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/608-649-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1968-662-0x0000000100000000-0x0000000100202000-memory.dmp

memory/528-665-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2440-667-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2440-681-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2252-680-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1816-695-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/576-693-0x0000000100000000-0x000000010020A000-memory.dmp

memory/1680-704-0x0000000100000000-0x0000000100123000-memory.dmp

memory/2832-705-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1816-708-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2252-692-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2224-679-0x0000000100000000-0x00000001000C4000-memory.dmp

memory/2832-713-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2740-723-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1564-739-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2740-727-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1564-756-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2400-754-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2248-770-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2400-773-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1816-777-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2248-788-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1728-791-0x0000000140000000-0x00000001400B2000-memory.dmp

memory/1816-793-0x0000000003C30000-0x0000000003CEA000-memory.dmp

memory/1816-803-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1664-817-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/940-818-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2652-829-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/940-832-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2652-842-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1832-885-0x0000000140000000-0x00000001400AE000-memory.dmp

memory/2428-926-0x0000000140000000-0x000000014013C000-memory.dmp

memory/2400-1025-0x0000000001B00000-0x0000000001B0E000-memory.dmp

memory/2400-1026-0x0000000001B40000-0x0000000001B4C000-memory.dmp

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\bd1950e68286b869edc77261e0821c93\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

MD5 5180107f98e16bdca63e67e7e3169d22
SHA1 dd2e82756dcda2f5a82125c4d743b4349955068d
SHA256 d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01
SHA512 27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\dbe51d156773fefd09c7a52feeb8ff79\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

MD5 5fd34a21f44ccbeda1bf502aa162a96a
SHA1 1f3b1286c01dea47be5e65cb72956a2355e1ae5e
SHA256 5d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01
SHA512 58c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log

MD5 4b5ec2fe0b3015d24bb511ae8b4029e0
SHA1 a575f71350950b32b216ece3c69cfbb63d69fb82
SHA256 9d1171d6f4e435cad073bf167db6d3d07ad11798cda6facbb8a88d37f42f69ff
SHA512 9f1edc54db57aaa82414439eba774c647b43e133567fe8fa2cc5411c48c894926cfcf7c2a980bbab87f77a0e2eaa64735fdf6bc54ce7ecc6fb835ba672043202

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\06216e3a9e4ca262bc1e9a3818ced7fe\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

MD5 3d6987fc36386537669f2450761cdd9d
SHA1 7a35de593dce75d1cb6a50c68c96f200a93eb0c9
SHA256 34c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb
SHA512 1d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\a58534126a42a5dbdef4573bac06c734\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

MD5 a8b651d9ae89d5e790ab8357edebbffe
SHA1 500cff2ba14e4c86c25c045a51aec8aa6e62d796
SHA256 1c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7
SHA512 b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\82425dbc07ec64ab599534080b6fbc08\Microsoft.Office.Tools.v9.0.ni.dll

MD5 4bbf44ea6ee52d7af8e58ea9c0caa120
SHA1 f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2
SHA256 c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08
SHA512 c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\77f00d3b4d847c1dd38a1c69e4ef5cb1\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

MD5 ed5c3f3402e320a8b4c6a33245a687d1
SHA1 4da11c966616583a817e98f7ee6fce6cde381dae
SHA256 b58d8890d884e60af0124555472e23dee55905e678ec9506a3fbe00fffab0a88
SHA512 d664b1f9f37c50d0e730a25ff7b79618f1ca99a0f1df0b32a4c82c95b2d15b6ef04ce5560db7407c6c3d2dff70514dac77cb0598f6d32b25362ae83fedb2bc2a

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\369a81b278211f8d96a305e918172713\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

MD5 9d9305a1998234e5a8f7047e1d8c0efe
SHA1 ba7e589d4943cd4fc9f26c55e83c77559e7337a8
SHA256 469ff9727392795925c7fe5625afcf508ba07e145c7940e4a12dbd6f14afc268
SHA512 58b8cc718ae1a72a9d596f7779aeb0d5492a19e5d668828fd6cff1aa37181cc62878799b4c97beec9c71c67a0c215162ff544b2417f6017cd892a1ce64f7878c

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\fe8d06712eb58d0150803744020b072a\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

MD5 dd1dfa421035fdfb6fd96d301a8c3d96
SHA1 d535030ad8d53d57f45bc14c7c7b69efd929efb3
SHA256 f71293fe6cf29af54d61bd2070df0a5ff17a661baf1b0b6c1d3393fd23ccd30c
SHA512 8e0f2bee9801a4eba974132811d7274e52e6e17ccd60e8b3f74959994f007bdb0c60eb9facb6321c0fdfbcc44e9a77d8c5c776d998ccce256fa864338a6f63b1

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6e100177db1ef25970ca4a9eba03c352\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

MD5 57b601497b76f8cd4f0486d8c8bf918e
SHA1 da797c446d4ca5a328f6322219f14efe90a5be54
SHA256 1380d349abb6d461254118591637c8198859d8aadfdb098b8d532fdc4d776e2d
SHA512 1347793a9dbff305975f4717afa9ee56443bc48586d35a64e8a375535fa9e0f6333e13c2267d5dbb7fe868aa863b23034a2e655dcd68b59dca75f17a4cbc1850

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2951791a1aa22719b6fdcb816f7e6c04\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

MD5 68c51bcdc03e97a119431061273f045a
SHA1 6ecba97b7be73bf465adf3aa1d6798fedcc1e435
SHA256 4a3aa6bd2a02778759886aaa884d1e8e4a089a1e0578c973fcb4fc885901ebaf
SHA512 d71d6275c6f389f6b7becb54cb489da149f614454ae739e95c33a32ed805820bef14c98724882c4ebb51b4705f41b3cdb5a8ed134411011087774cac6e9d23e8

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\077a55be734d6ef6e2de59fa7325dac5\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

MD5 0a41e63195a60814fe770be368b4992f
SHA1 d826fd4e4d1c9256abd6c59ce8adb6074958a3e7
SHA256 4a8ccb522a4076bcd5f217437c195b43914ea26da18096695ee689355e2740e1
SHA512 1c916165eb5a2e30d4c6a67f2023ab5df4e393e22d9d8123aa5b9b8522fdb5dfe539bcb772a6e55219b23d865ee1438d066e78f0cb138a4a61cc2a1cecf54728

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9e076728e51ab285a8bc0f0b0a226e2c\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

MD5 2eeeff61d87428ae7a2e651822adfdc4
SHA1 66f3811045a785626e6e1ea7bab7e42262f4c4c1
SHA256 37f2ee9f8794df6d51a678c62b4838463a724fdf1bd65277cd41feaf2e6c9047
SHA512 cadf3a04aa6dc2b6b781c292d73e195be5032b755616f4b49c6bdde8b3ae297519fc255b0a46280b60aaf45d4dedb9b828d33f1400792b87074f01bbab19e41a

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\1955bcce45d6b1058996298f74f5c446\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

MD5 1f99ced329572163f0cecfe3f908cd2a
SHA1 8684f050e03b110a1cfedc1409e7662080ef8d7e
SHA256 ef04f0affb3d17766ccb0b385a47421a1b7df32056f7854b6d8ea808bccd75f6
SHA512 4d582aa340198fd01ff2c75625203c90de67a64ebc4bfd345bcebb1d6b8bbfaf8c109e0f6b5a0ffa60a5c30693b15bbba79313302579002737c47cc3306efb85

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\e45a0e1bd97a5a0eae6d678180325b04\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

MD5 9142ed1e4d5c6f93cb6764a8c481cbe1
SHA1 1f03135777b0db6d3ace50dbd8f99af3ac2d21f8
SHA256 c985665c74fee7fc0ca238820772915c33c4d031f227176027832c26bb7f9ae9
SHA512 2c9d0608e2d62aa477f6b38ed69583c0a43d1fb3c7ac4e795a0dbca5668f712b79a59a135f05b486e560f4c3f8b824af75c54f2a7df7d08049577fd1af8e2fd2

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\52ae6f06f09a95cce3eaa245fe26e8d8\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

MD5 11ef8abc4657860ce33b6041f7119841
SHA1 e82b745c079ebc5d9e682cb592779476ce94db06
SHA256 d9314d4cba3059c057730a5bfcef34c7c5543d57d3d78c000a3801370308c1ad
SHA512 fb7b7b6efc359a16eaa663b6665bedf24eba6d855bb71ad895f66c2ff7dcf8599ac26602ce2cff3a2bda25c8cbb5192958f1a98f2aa271122e6ab19ad6be65be

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\1fda59e891c0dd3f8b3fcb220567993a\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

MD5 70c5cbd035d12eb4c4acbfe7712e96bc
SHA1 03ab0d1b1900f57408e92bb689e67ab2b5762fc6
SHA256 071928f27cad1bbe01af9f9d06f44399ccb7c1c28058c596f5bf97df8fe80727
SHA512 cc0c00fdead268740995c37ec9b4b5dcfe540e596e4f72311f1806f4a3c32ebac19cea8f25da6a6099ca08fa580a2cd7fe1abd9aaaabcff85b8ffee7654e2aca

C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiVidCtl\11d57f5c033326954c0bc4f0b2680812\ehiVidCtl.ni.dll

MD5 10b5a285eafccdd35390bb49861657e7
SHA1 62c05a4380e68418463529298058f3d2de19660d
SHA256 5f3bb3296ab50050e6b4ea7e95caa937720689db735c70309e5603a778be3a9a
SHA512 19ff9ac75f80814ed5124adc25fc2a6d1d7b825c770e1edb8f5b6990e44f9d2d0c1c0ed75b984e729709d603350055e5a543993a80033367810c417864df1452

C:\Windows\assembly\NativeImages_v2.0.50727_64\stdole\70f1aed4a280583cbd09e0f5d9bbc1f5\stdole.ni.dll

MD5 1f394b5ca6924de6d9dbfb0e90ea50ef
SHA1 4e2caa5e98531c6fbf5728f4ae4d90a1ad150920
SHA256 9db0e4933b95ad289129c91cd9e14a0c530f42b55e8c92dc8c881bc3dd40b998
SHA512 e27ea0f7b59d41a85547d607ae3c05f32ce19fa5d008c8eaf11d0c253a73af3cfa6df25e3ee7f3920cd775e1a3a2db934e5891b4aafd4270d65a727b439f7476

C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiActivScp\ee22f412f6314443add3ca412afd6569\ehiActivScp.ni.dll

MD5 929653b5b019b4555b25d55e6bf9987b
SHA1 993844805819ee445ff8136ee38c1aee70de3180
SHA256 2766353ca5c6a87169474692562282005905f1ca82eaa08e08223fc084dbb9a2
SHA512 effc809cca6170575efa7b4b23af9c49712ee9a7aaffd8f3a954c2d293be5be2cf3c388df4af2043f82b9b2ea041acdbb9d7ddd99a2fc744cce95cf4d820d013

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft-Windows-H#\a46df77acafec60e31859608625e6354\Microsoft-Windows-HomeGroupDiagnostic.NetListMgr.Interop.ni.dll

MD5 d9c0055c0c93a681947027f5282d5dcd
SHA1 9bd104f4d6bd68d09ae2a55b1ffc30673850780f
SHA256 dc7eb30a161a2f747238c8621adb963b50227a596d802b5f9110650357f7f7ed
SHA512 5404050caa320cdb48a6ccd34282c12788ee8db4e00397dde936cee00e297e9e438dcaa5fcb4e92525f167637b500db074ac91971d4730d222ac4713a3e7b930

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 07:44

Reported

2024-06-01 07:47

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\system32\spectrum.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\1c11182fbb5459c0.bin C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\locator.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
File opened for modification C:\Windows\system32\TieringEngineService.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
File opened for modification C:\Windows\System32\SensorDataService.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
File opened for modification C:\Windows\system32\AgentService.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\SgrmBroker.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
File opened for modification C:\Windows\SysWow64\perfhost.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
File opened for modification C:\Windows\System32\SensorDataService.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
File opened for modification C:\Windows\system32\vssvc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
File opened for modification C:\Windows\system32\AgentService.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\System32\msdtc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
File opened for modification C:\Windows\system32\wbengine.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\SgrmBroker.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
File opened for modification C:\Windows\System32\vds.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
File opened for modification C:\Windows\System32\alg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
File opened for modification C:\Windows\System32\snmptrap.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
File opened for modification C:\Windows\system32\SearchIndexer.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
File opened for modification C:\Program Files\ResumeClose.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
File opened for modification C:\Windows\DtcInstall.log C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Windows\System32\alg.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\TieringEngineService.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\TieringEngineService.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dfab2d9af7b3da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fb55609cf7b3da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009d248c9bf7b3da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device C:\Windows\system32\SearchFilterHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c3d0539af7b3da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" C:\Windows\system32\SearchIndexer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cc74b699f7b3da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a2f5799af7b3da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fab89d9af7b3da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bcf9e19bf7b3da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" C:\Windows\system32\fxssvc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\fxssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\TieringEngineService.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\TieringEngineService.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\AgentService.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: 33 N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_acb1f7d26450cb2a2d2b2896edf0c2d5_magniber_revil_zxxz.exe"

C:\Windows\System32\alg.exe

C:\Windows\System32\alg.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv

C:\Windows\system32\fxssvc.exe

C:\Windows\system32\fxssvc.exe

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"

C:\Windows\System32\msdtc.exe

C:\Windows\System32\msdtc.exe

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE

"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\system32\locator.exe

C:\Windows\system32\locator.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\system32\spectrum.exe

C:\Windows\system32\spectrum.exe

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc

C:\Windows\system32\TieringEngineService.exe

C:\Windows\system32\TieringEngineService.exe

C:\Windows\system32\AgentService.exe

C:\Windows\system32\AgentService.exe

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\SearchIndexer.exe /Embedding

C:\Windows\system32\SearchProtocolHost.exe

"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"

C:\Windows\system32\SearchFilterHost.exe

"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 pywolwnvd.biz udp
US 8.8.8.8:53 pywolwnvd.biz udp
US 54.244.188.177:80 pywolwnvd.biz tcp
US 54.244.188.177:80 pywolwnvd.biz tcp
US 8.8.8.8:53 98.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 ssbzmoy.biz udp
SG 18.141.10.107:80 ssbzmoy.biz tcp
SG 18.141.10.107:80 ssbzmoy.biz tcp
US 8.8.8.8:53 177.188.244.54.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 cvgrf.biz udp
US 54.244.188.177:80 cvgrf.biz tcp
US 54.244.188.177:80 cvgrf.biz tcp
US 8.8.8.8:53 107.10.141.18.in-addr.arpa udp
US 8.8.8.8:53 npukfztj.biz udp
US 44.221.84.105:80 npukfztj.biz tcp
US 44.221.84.105:80 npukfztj.biz tcp
US 8.8.8.8:53 przvgke.biz udp
US 34.193.97.35:80 przvgke.biz tcp
US 34.193.97.35:80 przvgke.biz tcp
US 34.193.97.35:80 przvgke.biz tcp
US 34.193.97.35:80 przvgke.biz tcp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 8.8.8.8:53 35.97.193.34.in-addr.arpa udp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
SG 18.141.10.107:80 knjghuig.biz tcp
SG 18.141.10.107:80 knjghuig.biz tcp
US 8.8.8.8:53 uhxqin.biz udp
US 8.8.8.8:53 anpmnmxo.biz udp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
RU 82.112.184.197:80 lpuegx.biz tcp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 vjaxhpbji.biz udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 xlfhhhm.biz udp
US 44.200.43.61:80 xlfhhhm.biz tcp
US 44.200.43.61:80 xlfhhhm.biz tcp
US 8.8.8.8:53 ifsaia.biz udp
SG 13.251.16.150:80 ifsaia.biz tcp
SG 13.251.16.150:80 ifsaia.biz tcp
US 8.8.8.8:53 61.43.200.44.in-addr.arpa udp
US 8.8.8.8:53 saytjshyf.biz udp
US 3.237.86.197:80 saytjshyf.biz tcp
US 3.237.86.197:80 saytjshyf.biz tcp
US 8.8.8.8:53 vcddkls.biz udp
SG 18.141.10.107:80 vcddkls.biz tcp
SG 18.141.10.107:80 vcddkls.biz tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 150.16.251.13.in-addr.arpa udp
US 8.8.8.8:53 fwiwk.biz udp
US 34.193.97.35:80 fwiwk.biz tcp
US 34.193.97.35:80 fwiwk.biz tcp
US 34.193.97.35:80 fwiwk.biz tcp
US 34.193.97.35:80 fwiwk.biz tcp
US 8.8.8.8:53 197.86.237.3.in-addr.arpa udp
US 8.8.8.8:53 tbjrpv.biz udp
IE 34.246.200.160:80 tbjrpv.biz tcp
IE 34.246.200.160:80 tbjrpv.biz tcp
US 8.8.8.8:53 deoci.biz udp
US 54.80.154.23:80 deoci.biz tcp
US 54.80.154.23:80 deoci.biz tcp
US 8.8.8.8:53 gytujflc.biz udp
US 208.100.26.245:80 gytujflc.biz tcp
US 208.100.26.245:80 gytujflc.biz tcp
US 8.8.8.8:53 160.200.246.34.in-addr.arpa udp
US 8.8.8.8:53 23.154.80.54.in-addr.arpa udp
US 8.8.8.8:53 qaynky.biz udp
SG 13.251.16.150:80 qaynky.biz tcp
SG 13.251.16.150:80 qaynky.biz tcp
US 8.8.8.8:53 245.26.100.208.in-addr.arpa udp
US 8.8.8.8:53 bumxkqgxu.biz udp
US 44.221.84.105:80 bumxkqgxu.biz tcp
US 44.221.84.105:80 bumxkqgxu.biz tcp
US 8.8.8.8:53 dwrqljrr.biz udp
US 54.244.188.177:80 dwrqljrr.biz tcp
US 54.244.188.177:80 dwrqljrr.biz tcp
US 8.8.8.8:53 nqwjmb.biz udp
US 35.164.78.200:80 nqwjmb.biz tcp
US 35.164.78.200:80 nqwjmb.biz tcp
US 8.8.8.8:53 ytctnunms.biz udp
US 3.94.10.34:80 ytctnunms.biz tcp
US 3.94.10.34:80 ytctnunms.biz tcp
US 8.8.8.8:53 200.78.164.35.in-addr.arpa udp
US 8.8.8.8:53 34.10.94.3.in-addr.arpa udp
US 8.8.8.8:53 myups.biz udp
US 165.160.15.20:80 myups.biz tcp
US 165.160.15.20:80 myups.biz tcp
US 8.8.8.8:53 oshhkdluh.biz udp
US 54.244.188.177:80 oshhkdluh.biz tcp
US 54.244.188.177:80 oshhkdluh.biz tcp
US 8.8.8.8:53 20.15.160.165.in-addr.arpa udp
US 8.8.8.8:53 yunalwv.biz udp
US 8.8.8.8:53 jpskm.biz udp
US 34.211.97.45:80 jpskm.biz tcp
US 34.211.97.45:80 jpskm.biz tcp
US 8.8.8.8:53 lrxdmhrr.biz udp
US 54.244.188.177:80 lrxdmhrr.biz tcp
US 54.244.188.177:80 lrxdmhrr.biz tcp
US 8.8.8.8:53 wllvnzb.biz udp
SG 18.141.10.107:80 wllvnzb.biz tcp
SG 18.141.10.107:80 wllvnzb.biz tcp
US 8.8.8.8:53 45.97.211.34.in-addr.arpa udp
US 8.8.8.8:53 gnqgo.biz udp
US 54.80.154.23:80 gnqgo.biz tcp
US 54.80.154.23:80 gnqgo.biz tcp
US 8.8.8.8:53 jhvzpcfg.biz udp
US 3.237.86.197:80 jhvzpcfg.biz tcp
US 3.237.86.197:80 jhvzpcfg.biz tcp
US 8.8.8.8:53 acwjcqqv.biz udp
SG 18.141.10.107:80 acwjcqqv.biz tcp
SG 18.141.10.107:80 acwjcqqv.biz tcp
US 8.8.8.8:53 lejtdj.biz udp
US 8.8.8.8:53 vyome.biz udp
US 44.213.104.86:80 vyome.biz tcp
US 44.213.104.86:80 vyome.biz tcp
US 8.8.8.8:53 yauexmxk.biz udp
US 54.80.154.23:80 yauexmxk.biz tcp
US 54.80.154.23:80 yauexmxk.biz tcp
US 8.8.8.8:53 iuzpxe.biz udp
SG 13.251.16.150:80 iuzpxe.biz tcp
SG 13.251.16.150:80 iuzpxe.biz tcp
US 8.8.8.8:53 86.104.213.44.in-addr.arpa udp
US 8.8.8.8:53 sxmiywsfv.biz udp
SG 13.251.16.150:80 sxmiywsfv.biz tcp
SG 13.251.16.150:80 sxmiywsfv.biz tcp
US 8.8.8.8:53 vrrazpdh.biz udp
US 34.211.97.45:80 vrrazpdh.biz tcp
US 34.211.97.45:80 vrrazpdh.biz tcp
US 8.8.8.8:53 ftxlah.biz udp
US 34.218.204.173:80 ftxlah.biz tcp
US 34.218.204.173:80 ftxlah.biz tcp
US 8.8.8.8:53 typgfhb.biz udp
SG 13.251.16.150:80 typgfhb.biz tcp
SG 13.251.16.150:80 typgfhb.biz tcp
US 8.8.8.8:53 esuzf.biz udp
US 34.211.97.45:80 esuzf.biz tcp
US 34.211.97.45:80 esuzf.biz tcp
US 8.8.8.8:53 gvijgjwkh.biz udp
US 3.94.10.34:80 gvijgjwkh.biz tcp
US 3.94.10.34:80 gvijgjwkh.biz tcp
US 8.8.8.8:53 173.204.218.34.in-addr.arpa udp
US 8.8.8.8:53 qpnczch.biz udp
US 44.213.104.86:80 qpnczch.biz tcp
US 44.213.104.86:80 qpnczch.biz tcp
US 8.8.8.8:53 brsua.biz udp
IE 3.254.94.185:80 brsua.biz tcp
IE 3.254.94.185:80 brsua.biz tcp
US 8.8.8.8:53 dlynankz.biz udp
DE 85.214.228.140:80 dlynankz.biz tcp
DE 85.214.228.140:80 dlynankz.biz tcp
US 8.8.8.8:53 oflybfv.biz udp
US 44.200.43.61:80 oflybfv.biz tcp
US 44.200.43.61:80 oflybfv.biz tcp
US 8.8.8.8:53 185.94.254.3.in-addr.arpa udp
US 8.8.8.8:53 140.228.214.85.in-addr.arpa udp
US 8.8.8.8:53 yhqqc.biz udp
US 34.211.97.45:80 yhqqc.biz tcp
US 34.211.97.45:80 yhqqc.biz tcp
US 8.8.8.8:53 mnjmhp.biz udp
US 44.200.43.61:80 mnjmhp.biz tcp
US 44.200.43.61:80 mnjmhp.biz tcp
US 8.8.8.8:53 opowhhece.biz udp
US 18.208.156.248:80 opowhhece.biz tcp
US 18.208.156.248:80 opowhhece.biz tcp
US 8.8.8.8:53 zjbpaao.biz udp
US 8.8.8.8:53 jdhhbs.biz udp
SG 13.251.16.150:80 jdhhbs.biz tcp
US 8.8.8.8:53 248.156.208.18.in-addr.arpa udp
US 8.8.8.8:53 mgmsclkyu.biz udp
IE 34.246.200.160:80 mgmsclkyu.biz tcp
US 8.8.8.8:53 warkcdu.biz udp
SG 18.141.10.107:80 warkcdu.biz tcp
US 8.8.8.8:53 gcedd.biz udp
SG 13.251.16.150:80 gcedd.biz tcp
US 8.8.8.8:53 zjbpaao.biz udp
US 8.8.8.8:53 jdhhbs.biz udp
SG 13.251.16.150:80 jdhhbs.biz tcp
US 8.8.8.8:53 jwkoeoqns.biz udp
US 18.208.156.248:80 jwkoeoqns.biz tcp
US 8.8.8.8:53 mgmsclkyu.biz udp
IE 34.246.200.160:80 mgmsclkyu.biz tcp
US 8.8.8.8:53 warkcdu.biz udp
SG 18.141.10.107:80 warkcdu.biz tcp
US 8.8.8.8:53 xccjj.biz udp
US 44.213.104.86:80 xccjj.biz tcp
US 8.8.8.8:53 hehckyov.biz udp
US 44.221.84.105:80 hehckyov.biz tcp
US 54.244.188.177:80 rynmcq.biz tcp
US 8.8.8.8:53 gcedd.biz udp
SG 13.251.16.150:80 gcedd.biz tcp
US 8.8.8.8:53 uaafd.biz udp
IE 3.254.94.185:80 uaafd.biz tcp
US 8.8.8.8:53 eufxebus.biz udp
SG 18.141.10.107:80 eufxebus.biz tcp
US 8.8.8.8:53 jwkoeoqns.biz udp
US 18.208.156.248:80 jwkoeoqns.biz tcp
US 8.8.8.8:53 xccjj.biz udp
US 44.213.104.86:80 xccjj.biz tcp
US 8.8.8.8:53 hehckyov.biz udp
US 44.221.84.105:80 hehckyov.biz tcp
US 8.8.8.8:53 pwlqfu.biz udp
IE 34.246.200.160:80 pwlqfu.biz tcp
US 8.8.8.8:53 rynmcq.biz udp
US 54.244.188.177:80 rynmcq.biz tcp
US 8.8.8.8:53 rrqafepng.biz udp
US 44.200.43.61:80 rrqafepng.biz tcp
US 8.8.8.8:53 ctdtgwag.biz udp
US 3.94.10.34:80 ctdtgwag.biz tcp
US 8.8.8.8:53 uaafd.biz udp
IE 3.254.94.185:80 uaafd.biz tcp
US 8.8.8.8:53 tnevuluw.biz udp
US 35.164.78.200:80 tnevuluw.biz tcp
US 8.8.8.8:53 eufxebus.biz udp
SG 18.141.10.107:80 eufxebus.biz tcp
US 8.8.8.8:53 whjovd.biz udp
SG 18.141.10.107:80 whjovd.biz tcp
US 8.8.8.8:53 gjogvvpsf.biz udp
US 8.8.8.8:53 reczwga.biz udp
US 3.237.86.197:80 reczwga.biz tcp
US 8.8.8.8:53 pwlqfu.biz udp
US 8.8.8.8:53 bghjpy.biz udp
IE 34.246.200.160:80 pwlqfu.biz tcp
US 34.211.97.45:80 bghjpy.biz tcp
US 8.8.8.8:53 rrqafepng.biz udp
US 44.200.43.61:80 rrqafepng.biz tcp
US 8.8.8.8:53 damcprvgv.biz udp
US 54.80.154.23:80 damcprvgv.biz tcp
US 8.8.8.8:53 ctdtgwag.biz udp
US 3.94.10.34:80 ctdtgwag.biz tcp
US 8.8.8.8:53 ocsvqjg.biz udp
IE 3.254.94.185:80 ocsvqjg.biz tcp
US 8.8.8.8:53 tnevuluw.biz udp
US 35.164.78.200:80 tnevuluw.biz tcp
US 8.8.8.8:53 ywffr.biz udp
US 54.244.188.177:80 ywffr.biz tcp
US 8.8.8.8:53 whjovd.biz udp
SG 18.141.10.107:80 whjovd.biz tcp
US 8.8.8.8:53 ecxbwt.biz udp
US 54.244.188.177:80 ecxbwt.biz tcp
US 8.8.8.8:53 pectx.biz udp
US 44.213.104.86:80 pectx.biz tcp
US 8.8.8.8:53 zyiexezl.biz udp
US 8.8.8.8:53 gjogvvpsf.biz udp
US 54.80.154.23:80 zyiexezl.biz tcp
US 8.8.8.8:53 banwyw.biz udp
US 3.237.86.197:80 banwyw.biz tcp
US 8.8.8.8:53 reczwga.biz udp
US 3.237.86.197:80 reczwga.biz tcp
US 8.8.8.8:53 muapr.biz udp
US 8.8.8.8:53 wxgzshna.biz udp
US 8.8.8.8:53 bghjpy.biz udp
US 8.8.8.8:53 zrlssa.biz udp
US 34.211.97.45:80 bghjpy.biz tcp
US 3.237.86.197:80 zrlssa.biz tcp
US 8.8.8.8:53 jlqltsjvh.biz udp
SG 18.141.10.107:80 jlqltsjvh.biz tcp
US 8.8.8.8:53 damcprvgv.biz udp
US 54.80.154.23:80 damcprvgv.biz tcp
US 8.8.8.8:53 ocsvqjg.biz udp
IE 3.254.94.185:80 ocsvqjg.biz tcp
US 8.8.8.8:53 ywffr.biz udp
US 54.244.188.177:80 ywffr.biz tcp
US 8.8.8.8:53 xyrgy.biz udp
US 54.80.154.23:80 xyrgy.biz tcp
US 8.8.8.8:53 ecxbwt.biz udp
US 54.244.188.177:80 ecxbwt.biz tcp
US 8.8.8.8:53 htwqzczce.biz udp
US 54.157.24.8:80 htwqzczce.biz tcp
US 54.157.24.8:80 htwqzczce.biz tcp
US 8.8.8.8:53 8.24.157.54.in-addr.arpa udp
US 8.8.8.8:53 pectx.biz udp
US 44.213.104.86:80 pectx.biz tcp
US 8.8.8.8:53 kvbjaur.biz udp
US 54.244.188.177:80 kvbjaur.biz tcp
US 8.8.8.8:53 zyiexezl.biz udp
US 54.80.154.23:80 zyiexezl.biz tcp
US 8.8.8.8:53 banwyw.biz udp
US 8.8.8.8:53 uphca.biz udp
US 3.237.86.197:80 banwyw.biz tcp
US 44.221.84.105:80 uphca.biz tcp
US 8.8.8.8:53 muapr.biz udp
US 8.8.8.8:53 fjumtfnz.biz udp
US 8.8.8.8:53 wxgzshna.biz udp
US 34.211.97.45:80 fjumtfnz.biz tcp
US 8.8.8.8:53 zrlssa.biz udp
US 3.237.86.197:80 zrlssa.biz tcp
US 8.8.8.8:53 jlqltsjvh.biz udp
SG 18.141.10.107:80 jlqltsjvh.biz tcp
US 8.8.8.8:53 hlzfuyy.biz udp
US 34.211.97.45:80 hlzfuyy.biz tcp
US 8.8.8.8:53 rffxu.biz udp
IE 34.246.200.160:80 rffxu.biz tcp
US 8.8.8.8:53 cikivjto.biz udp
US 44.213.104.86:80 cikivjto.biz tcp
US 8.8.8.8:53 xyrgy.biz udp
US 54.80.154.23:80 xyrgy.biz tcp
US 8.8.8.8:53 qncdaagct.biz udp
US 34.218.204.173:80 qncdaagct.biz tcp
US 8.8.8.8:53 htwqzczce.biz udp
US 34.193.97.35:80 htwqzczce.biz tcp
US 34.193.97.35:80 htwqzczce.biz tcp
US 8.8.8.8:53 shpwbsrw.biz udp
SG 13.251.16.150:80 shpwbsrw.biz tcp
US 8.8.8.8:53 kvbjaur.biz udp
US 54.244.188.177:80 kvbjaur.biz tcp
US 8.8.8.8:53 uphca.biz udp
US 44.221.84.105:80 uphca.biz tcp
US 8.8.8.8:53 fjumtfnz.biz udp
US 34.211.97.45:80 fjumtfnz.biz tcp
US 8.8.8.8:53 cjvgcl.biz udp
US 54.80.154.23:80 cjvgcl.biz tcp
US 8.8.8.8:53 neazudmrq.biz udp
US 8.8.8.8:53 hlzfuyy.biz udp
US 3.237.86.197:80 neazudmrq.biz tcp
US 34.211.97.45:80 hlzfuyy.biz tcp
US 8.8.8.8:53 pgfsvwx.biz udp
US 54.80.154.23:80 pgfsvwx.biz tcp
US 8.8.8.8:53 aatcwo.biz udp
US 8.8.8.8:53 rffxu.biz udp
US 34.218.204.173:80 aatcwo.biz tcp
IE 34.246.200.160:80 rffxu.biz tcp
US 8.8.8.8:53 cikivjto.biz udp
US 44.213.104.86:80 cikivjto.biz tcp
US 8.8.8.8:53 kcyvxytog.biz udp
US 8.8.8.8:53 qncdaagct.biz udp
US 18.208.156.248:80 kcyvxytog.biz tcp
US 34.218.204.173:80 qncdaagct.biz tcp
US 8.8.8.8:53 nwdnxrd.biz udp
US 54.244.188.177:80 nwdnxrd.biz tcp
US 8.8.8.8:53 shpwbsrw.biz udp
SG 13.251.16.150:80 shpwbsrw.biz tcp
US 8.8.8.8:53 ereplfx.biz udp
US 44.213.104.86:80 ereplfx.biz tcp
US 8.8.8.8:53 ptrim.biz udp
SG 18.141.10.107:80 ptrim.biz tcp
US 8.8.8.8:53 cjvgcl.biz udp
US 54.80.154.23:80 cjvgcl.biz tcp
US 8.8.8.8:53 neazudmrq.biz udp
US 3.237.86.197:80 neazudmrq.biz tcp
US 8.8.8.8:53 pgfsvwx.biz udp
US 8.8.8.8:53 znwbniskf.biz udp
US 54.80.154.23:80 pgfsvwx.biz tcp
US 34.218.204.173:80 znwbniskf.biz tcp
US 8.8.8.8:53 aatcwo.biz udp
US 34.218.204.173:80 aatcwo.biz tcp
US 8.8.8.8:53 cpclnad.biz udp
US 3.237.86.197:80 cpclnad.biz tcp
US 8.8.8.8:53 kcyvxytog.biz udp
US 18.208.156.248:80 kcyvxytog.biz tcp
US 8.8.8.8:53 mjheo.biz udp
US 3.237.86.197:80 mjheo.biz tcp
US 8.8.8.8:53 wluwplyh.biz udp
SG 18.141.10.107:80 wluwplyh.biz tcp
US 8.8.8.8:53 zgapiej.biz udp
US 18.208.156.248:80 zgapiej.biz tcp
US 8.8.8.8:53 jifai.biz udp
US 8.8.8.8:53 nwdnxrd.biz udp
US 54.244.188.177:80 nwdnxrd.biz tcp
US 44.221.84.105:80 jifai.biz tcp
US 8.8.8.8:53 xnxvnn.biz udp
SG 13.251.16.150:80 xnxvnn.biz tcp
US 8.8.8.8:53 ereplfx.biz udp
US 44.213.104.86:80 ereplfx.biz tcp
US 8.8.8.8:53 ptrim.biz udp
SG 18.141.10.107:80 ptrim.biz tcp
US 8.8.8.8:53 ihcnogskt.biz udp
US 35.164.78.200:80 ihcnogskt.biz tcp
US 8.8.8.8:53 kkqypycm.biz udp
US 8.8.8.8:53 znwbniskf.biz udp
US 34.218.204.173:80 znwbniskf.biz tcp
SG 18.141.10.107:80 kkqypycm.biz tcp
US 8.8.8.8:53 cpclnad.biz udp
US 3.237.86.197:80 cpclnad.biz tcp
US 8.8.8.8:53 mjheo.biz udp
US 3.237.86.197:80 mjheo.biz tcp
US 8.8.8.8:53 wluwplyh.biz udp
SG 18.141.10.107:80 wluwplyh.biz tcp
US 8.8.8.8:53 uevrpr.biz udp
US 44.213.104.86:80 uevrpr.biz tcp
US 34.211.97.45:80 hlzfuyy.biz tcp
US 8.8.8.8:53 hagujcj.biz udp
US 18.208.156.248:80 hagujcj.biz tcp
US 18.208.156.248:80 hagujcj.biz tcp
US 8.8.8.8:53 jifai.biz udp
US 44.221.84.105:80 jifai.biz tcp
US 8.8.8.8:53 xnxvnn.biz udp
SG 13.251.16.150:80 xnxvnn.biz tcp
US 8.8.8.8:53 sctmku.biz udp
US 8.8.8.8:53 88.16.208.104.in-addr.arpa udp
US 35.164.78.200:80 sctmku.biz tcp
US 8.8.8.8:53 cwyfknmwh.biz udp
US 8.8.8.8:53 ihcnogskt.biz udp
US 8.8.8.8:53 qcrsp.biz udp
US 35.164.78.200:80 ihcnogskt.biz tcp
US 34.211.97.45:80 qcrsp.biz tcp
US 8.8.8.8:53 kkqypycm.biz udp
US 8.8.8.8:53 sewlqwcd.biz udp
SG 18.141.10.107:80 kkqypycm.biz tcp
US 3.237.86.197:80 sewlqwcd.biz tcp
US 8.8.8.8:53 dyjdrp.biz udp
US 54.244.188.177:80 dyjdrp.biz tcp

Files

memory/2912-6-0x0000000003DF0000-0x0000000003E57000-memory.dmp

memory/2912-0-0x0000000003DF0000-0x0000000003E57000-memory.dmp

memory/4856-11-0x00000000006E0000-0x0000000000740000-memory.dmp

memory/4856-17-0x00000000006E0000-0x0000000000740000-memory.dmp

memory/4856-19-0x0000000140000000-0x00000001400AA000-memory.dmp

memory/2912-10-0x0000000000400000-0x0000000001EFA000-memory.dmp

C:\Windows\System32\alg.exe

MD5 199ffae83a344a7893bf064d59eb31b1
SHA1 897d405877c710b921e1f66380203846323dfd75
SHA256 1a2824d74b4e260dfdeb550e29259dd635175aa93bc766fa1665c128df069f80
SHA512 d8c4495e854f970aa846561c1f92b8294c548c6c67201002e1dc801bccf72511e8a31967404c1384d83b47728f6aa790ad8e3d00d0acdee2ae9c1de93c534414

C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

MD5 05bef1679d91694facb0dbcb92dd3605
SHA1 b4619fad115690bf5e04fce1cf7b83b0997df3ba
SHA256 80f7b7e5bd054219ee288ecc6213c4caca773b7a54602d3a24492f7ac77c800e
SHA512 ed8ac6142ea1b8e4aa21df7c7570b5ba9527db54a842d07cc480e02fcc58bf8d6e717baacf03158d51067c5e3994cfa413aee52475664b9476b5f21c28dd0e2f

memory/4636-30-0x00000000006A0000-0x0000000000700000-memory.dmp

memory/4636-24-0x00000000006A0000-0x0000000000700000-memory.dmp

memory/2912-33-0x0000000000400000-0x0000000001EFA000-memory.dmp

C:\Windows\System32\FXSSVC.exe

MD5 ed90ea0ade928f3c83f3a96b9074fb6a
SHA1 0aa0033a3f850da02359250fea7583223dd164fd
SHA256 6a3d232a2a985b65d35bc8e7bb38ab1b2ee0083fc808f0291ced911ea8977a57
SHA512 009ae6672171a26e7c9aab16e207c8709f29565e1191f457a573d337639c130f0e78bb432535439fd1c76768ff33177708194365af3621f62f28dd7246a4af3b

memory/1896-35-0x0000000140000000-0x0000000140135000-memory.dmp

memory/4636-36-0x0000000140000000-0x00000001400A9000-memory.dmp

memory/1896-43-0x0000000000E70000-0x0000000000ED0000-memory.dmp

memory/1896-37-0x0000000000E70000-0x0000000000ED0000-memory.dmp

memory/1896-45-0x0000000000E70000-0x0000000000ED0000-memory.dmp

memory/1896-47-0x0000000140000000-0x0000000140135000-memory.dmp

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

MD5 1e5fe1e1c2d7f7066e26934da16c09d1
SHA1 ae5dea2615aeec392a4467f28028a44e228dfc23
SHA256 4e2b2e5a92160f50610ca2627bc24ab5e9f3fd07aa85af44348d3b240c641f27
SHA512 7de56512fb3ace494814bd9fbee06c626f1475e91bcf9c79d12e7ca5c4d254cbd170be6302bcb92d7a2de7e4637ebe0464338847f1c49f2508919a649e3be447

memory/4732-50-0x0000000000D60000-0x0000000000DC0000-memory.dmp

memory/4732-56-0x0000000140000000-0x000000014024B000-memory.dmp

memory/4732-57-0x0000000000D60000-0x0000000000DC0000-memory.dmp

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

MD5 7256783a0aabb10df5f31a52a961e5ba
SHA1 37a4964f5a26638db7eaf3ade43bb242cfde9162
SHA256 ec842e366e2fe0377db86f42b02a8fb42c17412ba45caaaf7c441873e3bd5a40
SHA512 c9eead7d8aec316742bfd05cebbb0d2d7a545ee3684fe30613d845d8a98f8a3856a9aa5eb7edb3104242b651546b490d4d1cf5701eb430802d4f9d47850bea52

memory/3784-61-0x00000000001A0000-0x0000000000200000-memory.dmp

memory/3784-69-0x0000000140000000-0x000000014022B000-memory.dmp

memory/3784-67-0x00000000001A0000-0x0000000000200000-memory.dmp

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

MD5 c0e77d168cb22a2c9279accb9cbe714d
SHA1 1d71f2907dbe2c1a623bad6a401d1c41dfd3feac
SHA256 4152517816c2033958ffdd5c7172ac70dc545d8fcb9300fa94d4f0a15b5b9199
SHA512 6e8ef56e6c773383908ea9950bd71454861e3d0a24e581b11d2d2c92cf015ed8f07b597834162caa0b131e1ead37bec419e2b59df62e75fa64ed41bab449d38b

memory/2712-78-0x0000000000C40000-0x0000000000CA0000-memory.dmp

memory/2712-72-0x0000000000C40000-0x0000000000CA0000-memory.dmp

memory/2712-85-0x0000000140000000-0x00000001400CF000-memory.dmp

memory/2712-83-0x0000000000C40000-0x0000000000CA0000-memory.dmp

memory/2712-81-0x0000000140000000-0x00000001400CF000-memory.dmp

C:\Windows\System32\msdtc.exe

MD5 17bf4c86b29661965f7aa15489cdacc6
SHA1 32380e47c390da960321982101299501dbaedac9
SHA256 cc7a9bcc88aab931ba52509c188ebd45295b4e448a93618b0ea1f0b018b71317
SHA512 7e76898196be5ac915343508fd0a15ee298666f47390b846f5eef04de9666a86fe94326521847896df9f975fe1f574049e10bdfd25e62fb89f1ab2106e9591fd

memory/3496-88-0x0000000000690000-0x00000000006F0000-memory.dmp

memory/3496-87-0x0000000140000000-0x00000001400B9000-memory.dmp

C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

MD5 ea6843700cfb34f2b8bd14acb1397069
SHA1 7c635687a4698e7355af080c1ebe7526ac87dd15
SHA256 5450322dc53bc5ba4a4acff062be86262f1b223de1874c450feeed5a6aedc354
SHA512 1a299c7e323dfb90d2f23aa231368aa5bcf574842dc395d80d43c880816e11e00a6d1ea2226504ea24c2c29b6ce2c70d4426d9eb28bedb31c5cb56635f33152a

C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

MD5 ef6150238d98305183a70419aca7d584
SHA1 4d10d058ef3b860fc1ce0c9679d6728a54f68f8d
SHA256 b76fa0aaad1224746be40d8f1a47fa8506edaa29f979df74a2decafc1ddfdac1
SHA512 cd1d2c23716cd94fc071ada4f55d555477853b58eefe5f70fd9c7ec8828d7fd2b83406738ce29e1dfce18b8dd44d85c62b9ed42052a6e67b8f7adaecacc3737f

memory/744-107-0x0000000140000000-0x00000001400CF000-memory.dmp

memory/4856-125-0x0000000140000000-0x00000001400AA000-memory.dmp

memory/4344-124-0x0000000140000000-0x00000001400AB000-memory.dmp

C:\Windows\SysWOW64\perfhost.exe

MD5 50ad908f52777b75e6a24d747cd3a2ba
SHA1 46d71a81cf41374ca6dd55198266976d77974631
SHA256 712d746ec9016e6c32a096ddadd5583cdcf4c8ccf66ba78d02fa0e338b55127f
SHA512 c97df0199dfb14f99da318dc5dafd75bf7dd04f5776ccd18ed64fa3bfa38860c5ab3d0354e8d25c1c01b8e40d790ee15850e05135158378e674d1b45240a9c6d

memory/3976-137-0x0000000140000000-0x0000000140095000-memory.dmp

memory/1432-136-0x0000000000400000-0x0000000000497000-memory.dmp

C:\Windows\System32\Locator.exe

MD5 9bc18677870e2f2930b39068cf5e5e9b
SHA1 2a97b4684dca9641d271ff415212ab2470cb5377
SHA256 1d1661416b3c4aa7cdacc84bd95d2e6e639766e4394f8d913c2b58a871bfcbb8
SHA512 8b909b21c0bdbe65af7c77d2ec2358272f29f17696525188d9f4b0504eb772d487b758f77821ce5583fbd07e8411263f0914e46bd002c24e1d43d6793150f981

memory/2956-140-0x0000000140000000-0x00000001401D7000-memory.dmp

C:\Windows\System32\SensorDataService.exe

MD5 994b6c9e86b4ccb903af90eae8874b36
SHA1 23efbad2da49245ce094cae9f68e11ec16458533
SHA256 909515cf38afc190eb4569f531992d465fd04b4e26e45adb47831c10212fe6f6
SHA512 808d6c6d6c393ac716f048369e0a51e56151be9e1fa41a1e99aeb635ff31d7d83047a3e9d9153cc4ff226599075a5a7c29e948444c7396fdc2d5d8647efacc1a

memory/2912-122-0x0000000000400000-0x0000000001EFA000-memory.dmp

C:\Windows\System32\snmptrap.exe

MD5 1cc1ae25d0e74d67f93af8d98e8139a6
SHA1 f7edf3328a4ba7cc0577751e43dc6b14813c7368
SHA256 3965fdd7f28731fc24baa5725bf7634382ceb10873dc628355635fa130ff24da
SHA512 4e04596782ddec6b6bf417b202e67174b170d8a02eb28ba04723517f80e5d01c99e62c8ced71a2c6b25fdb67b09a7b57277652de072c0cad462e21d43c7142ad

memory/3584-152-0x0000000140000000-0x0000000140096000-memory.dmp

C:\Windows\System32\Spectrum.exe

MD5 09c924c877c95969901ddff39a1d7d6b
SHA1 d6a7799a1b920b9d79556811ec74041895b8f208
SHA256 b65fcb00ceeea32dac07c8cb9fdc3459ab57b9e7b97122eb063265451af820a4
SHA512 b5fe57b12a94bfa286eeedbcb6e8e664435eeb9b42e665a780f7cc6ed2d97b3b0f015b2d2e9dda6de51416d009ae71c7973d43f0f9fdee0ad3994f1a3d405601

memory/2072-173-0x0000000140000000-0x0000000140169000-memory.dmp

memory/3784-172-0x0000000140000000-0x000000014022B000-memory.dmp

memory/4732-171-0x0000000140000000-0x000000014024B000-memory.dmp

C:\Windows\System32\OpenSSH\ssh-agent.exe

MD5 3d8447abf396b029a01d3afced47f54c
SHA1 a9e820271df501db8f3ddd7a21387bbf9bf67c22
SHA256 b521ebc2801a717ba05ba7eba5aae1fc9da0db0fa9fa0aa4576d21ac0d380a7e
SHA512 92555f9ec5f6bf2d874f89bcf98a23a6d2fada8313ecfd90eced00ef6e65f0d3635d78c3da5596d4f3d6f5a7983d3eecbcf4700cd18267c9fe4089791f1c0dc3

memory/4460-177-0x0000000140000000-0x0000000140102000-memory.dmp

C:\Windows\System32\TieringEngineService.exe

MD5 2a1225c9e5d3ea5f800cc8e093be52e3
SHA1 1c1dc2f8be7691a5269764d7228039d19ac78ef6
SHA256 50b41a674c6dd9fe4f4c57a37d03cba4bb97ca16581d523378e487909dcf72ae
SHA512 3f9ce920eb4e5d4058b82ddc6c585bbcf1064ea712dc1335a6d0d206c3ad269e856ec47d7aa75c7a8fa88d3dfd9fe5113501d482e71b5162f5433deefffc95ff

memory/4496-188-0x0000000140000000-0x00000001400E2000-memory.dmp

C:\Windows\System32\AgentService.exe

MD5 b597e5c7ac383ea8114c0f0f95db1549
SHA1 8396ff7fa7fb0d5710953b975f655ab8b54fd2b3
SHA256 489afd218ed7806bd753cdd8e9120775794fe88feffbdd1115cb6269446be7ca
SHA512 0a85c2c89515cf6168411a978a9ca7df81cf48f1210d9e08804873ddf2aa1ee845a47b6f64b348902ee1e1dec6c76a92850cd5776f70f27f31cd2d32e39bde75

memory/4820-222-0x0000000140000000-0x0000000140147000-memory.dmp

memory/744-221-0x0000000140000000-0x00000001400CF000-memory.dmp

C:\Windows\System32\VSSVC.exe

MD5 bb6d9cad498ec25ddd2d43b6c41737fb
SHA1 be0ce8a4a28a0399381fd04fb7c2e003b22f2f8a
SHA256 70926c5beb0c0398da1d3032f2b083844a75ffe0ef346a28eaa0e1624d6c16f8
SHA512 a2dbe951fe5c148d6b031de3db066d593903c49669df0fad5eec845e36c1eca167f752f1af238a9dd103bef1e206d185d09813f5374606e58d31c9db61174673

C:\Windows\System32\vds.exe

MD5 45278d9be328cb4f2b6896a7404710f6
SHA1 b637f8e264734a28586c2808b8d64ee42749b25c
SHA256 381180541b0e0108a8ec2a2ede11d691d3613c37e78d00a2812c2053386df4e9
SHA512 290f2e598df3970225eaadbb56fd68aba34fc70493b2e57a5092ea2f0795fe4e456b261c0e0dfb2b2ad468de4c57da646d1ead0590e57caace2027b9c46e929d

memory/2680-209-0x0000000140000000-0x00000001401C0000-memory.dmp

memory/4044-233-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/3496-207-0x0000000140000000-0x00000001400B9000-memory.dmp

C:\Windows\System32\wbengine.exe

MD5 306a3cf799ca650e9bdbbc5382ba757a
SHA1 d11944a8affc492d676c47d117fd0039df12602d
SHA256 361fe294b0bcb354bb1f73a466ebbc75ce7d9c37f74539bae0e28fb474b07748
SHA512 812740070421ad54e3f7c9a031c04784f806030003abf7f5fdf11b44b16b1a7c35dac98a6bdc36146ca7fee091beb0f373ef55cf76cb884db4ad4fbbd116e445

memory/4644-236-0x0000000140000000-0x0000000140216000-memory.dmp

C:\Windows\System32\wbem\WmiApSrv.exe

MD5 e70195f914923744210af48fef68ec30
SHA1 cf8cf84eeed1eeebd036a1824ca707201f494f96
SHA256 b917c6df8def48f1a663c3bcdb0407066b85b49f8a9ea2690000d6e1c6fe388e
SHA512 363746e825faac6cf4c69bb47f976bff92da09516e661a08d0b68760eb21fbdafaf23ea92f247f2bedb368e73ac18609329b7738e1fabc0b7db8bb79590ecb2d

memory/3976-247-0x0000000140000000-0x0000000140095000-memory.dmp

memory/4844-256-0x0000000140000000-0x00000001400C6000-memory.dmp

memory/5112-267-0x0000000140000000-0x0000000140179000-memory.dmp

memory/2956-260-0x0000000140000000-0x00000001401D7000-memory.dmp

C:\Windows\System32\SearchIndexer.exe

MD5 7bfedcd05031f2083f791fd6a356557a
SHA1 9f2d9adc0f7e37160318cbdad362ad1e8891cc3b
SHA256 16e0fccca70da97029fba52bb32605793676139a6a2cdaf76d523b221cb50b29
SHA512 350b64483f165de46e22207389aa8834466f673071dbb8e6022b08be444cb26ac4a395f0937fe7b9f80b5150a400dc3cf767561240266f4f54e6475e6ca34619

memory/3584-455-0x0000000140000000-0x0000000140096000-memory.dmp

memory/2072-530-0x0000000140000000-0x0000000140169000-memory.dmp

memory/4460-678-0x0000000140000000-0x0000000140102000-memory.dmp

C:\Users\Admin\.node_repl_history

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2956-682-0x0000000140000000-0x00000001401D7000-memory.dmp

memory/4496-688-0x0000000140000000-0x00000001400E2000-memory.dmp

memory/2680-689-0x0000000140000000-0x00000001401C0000-memory.dmp

memory/4820-691-0x0000000140000000-0x0000000140147000-memory.dmp

memory/4044-692-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/4644-695-0x0000000140000000-0x0000000140216000-memory.dmp

memory/4844-697-0x0000000140000000-0x00000001400C6000-memory.dmp

memory/5112-698-0x0000000140000000-0x0000000140179000-memory.dmp

C:\Windows\system32\AppVClient.exe

MD5 f0735f3b934cc9b0295fe40a55b6408b
SHA1 92947f4866062260d6c32661704c53e71f3317d6
SHA256 82c53a95afde795b0462a09136d8ffdd04f7163097ab9e0b58b1bd57683eb4f4
SHA512 5ad268b09c33725bca0c10ce208670c262a3556743889b6e99c31bc5f46a156943a69698090cb17df45b1d9ed8c552934c3c21cba19486a568b745a91c2690de

C:\Program Files\7-Zip\7z.exe

MD5 e9edc850901a2527f380e1737627864b
SHA1 d5c4f9682083d07ae5453020d513419183994074
SHA256 b9dc75167b68bfdb0f8ba5f93ac122fe7342a786cd93de0e72c9ce74e596ac16
SHA512 090a8371d96b1646114c160c64bfca28fb929047b572efbb8733084e499a1a585f8d26ccdf9da9e3418dbf94f265e8726a7785187f9868882162ef9c70711efe

C:\Program Files\7-Zip\7zG.exe

MD5 f5308b32efabd180174ef4817487c7f1
SHA1 fa1f519a3550de5e308c063abc201c3c03cb634b
SHA256 3186c9df83e357a9ef6533271d3b82d6eb49076e06c8dc34145cff6457885846
SHA512 60e99d68c89e6fe4056799f53d0a01114f9fb58b25132e29fa9bfcf1cf23129d6334964eac7ceac690dda32561b03fe7137220007420134c779f97c3548d5286

C:\Program Files\Java\jdk-1.8\bin\javaw.exe

MD5 9044b1132c3f0cafd0880a8bcb7fc148
SHA1 1eff4da73ee6dd6b888bbb9b7f0fa6e4b2b24376
SHA256 1d45a878dde9fa4e98a3d90ecd79afc0dcd0beda4019c0c0e6f6afb060228906
SHA512 62894b1b0d1c8d80fd9c800e1b7ac9d0ca6c33d6cab5676d29d0e06d35dea37f33b6967697fb81164e410914b18a356cd7e3ba5096663299413ccb83d6fa5b24

C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

MD5 8f3b61033a09016ccc46e34acf4ac056
SHA1 06a8507ea7f7dc3cac6d3332ffb7617c18c6fc7c
SHA256 4daf82c217d4959b61fa89f8fcef35ca73f88514dd17662004c37a497e97331d
SHA512 9438adee80b64a40a7e060955243e4c7b9c9acd695be7dfbc22530d4690aee92dd52766a53f2f7331e64cdf9bb3fc42e58fe6c72bf905044207f149596a33a5a

C:\Program Files\Java\jdk-1.8\bin\javap.exe

MD5 54ef96158fb6c86e5b0aa166ff388b1e
SHA1 2af959527c2dbb04523ac2db0ecd26badf75d933
SHA256 775d75340198b9d824aeaafecbe9067fce25e36f8e0743a1cf76acc1c1afe1f7
SHA512 75f0cf9dbbf09b15321eed677cf2287bb1f04c1eeb12cecaa973989edad4e1d69d6ec281a52a38ac94bb431521a6ac163b193d8b373512e2c86f33eb0d2e8a0b

C:\Program Files\Java\jdk-1.8\bin\javah.exe

MD5 9ed4dac73716f7666a3ea78bf6f07acf
SHA1 e32c898af1d6370cb6e2e7d7b5e539cf41b7dba3
SHA256 f65751d277c1817c90a6738bb6f09c0ef5fa9ea708e650cf14b7151cfbebdb53
SHA512 0e39a6e6b402195c03a9a35a27f44fc09ac6577fe495ccd27d0c100a773fcfb265bcf3a4583c50882e8d047d0a88d7c5a543446d5c5d80cafd57a143d9da39a6

C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

MD5 c66ee9b2a442c26b702748a3e2143057
SHA1 298c26f2f9b2e1395fd4bfabc30d47c984ab4fb5
SHA256 d796e2c17ffe7799bb185690405098311b34c2e8490f75e299f5110fa9ea3985
SHA512 011ad89a419c5ab5be06f49f89eb08510f444787982a2bfa27d44adc4142d9e9a3da6600323880de06566b9223dddd14b6cade10f8926ee4f6f4c7a54afa43b8

C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

MD5 2c67a06783fc5d642d4a63c44b0cfdad
SHA1 029bee21f41c90dd580bf0e5950efd2ba6c8a584
SHA256 4ce7e447a991ecfa18f44e013d0e0d36a77da8e7638e429909488ba9c2ebaea3
SHA512 44dbe6f640bd702cfd96ae4d54af1b4ba1379e841308fdd0fc002d6399e48cdb38adff2ecd2c403e5e5954e258d735ec188c11d9a204f2f65b5d876395b892c2

C:\Program Files\Java\jdk-1.8\bin\javac.exe

MD5 4c7e37f5a449318c9b6873b5a3c89a16
SHA1 35c6c1cfaf6b71cc849d99a06b52e217f62365fe
SHA256 d9a3fe6b907894f5a7e96a87027fb6485c47d63b561ad55d40ae158eec291513
SHA512 3efa372a99301fdf2497a8148811f77b6f610d29eaed76d27f1bbecb07f2455f615f07fe927dd8d8359ccfd594a24b490fe20231d2fb294050732c3fb93b5723

C:\Program Files\Java\jdk-1.8\bin\java.exe

MD5 cdb8cbba0a9627dcb2e71af1227f41e6
SHA1 73cafe80e8423eec7218c50d5d3a4989b438a527
SHA256 8a76efddd5965c146ef3647881d6eb6534462289f62352b444c38893d931d84a
SHA512 f4d7ba5f38dd87f76acfdaeb8cd833b0052eeaf2b145d4a260f6cdc49b6da41023df5b6b8ef507920711b67afa3aabcb7159f41c643caaf8252cd5e19a78572e

C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

MD5 6424ef4a16f410b7b7cf56d4c5f5bfd9
SHA1 d42655407be9b6f58456c71e490b750a1d2e7fe4
SHA256 5c7cfd65ea24bacde1177ae3e84e1a3b2565910d2da6a5a153f2554669e17277
SHA512 73db490083733be934fef069738266db2c980e41535c8f49abff5c1d969b8db13b70c1c47552ab1454a49f9342bc3e35fc92b61f88474bea3ffda2bd4dee593a

C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

MD5 01b116331796cbe9c18841d66017abd8
SHA1 cf220595c6a3da9fc6e47fc854f24e12172cc052
SHA256 8105470202bb72c10d3d562e5ef744a45290d740999f586da4e66becd6e28a4d
SHA512 faefe5c3ff4c607d82fc79e056319f18fb3088772d68e5ed1aa8698414d36e3124b4ecf79e2b8a1c6bb5cb36108d2bd75285c171e121c007fffcb6f95596b4ba

C:\Program Files\Java\jdk-1.8\bin\jar.exe

MD5 a8eb1a5769f81f12a403793adef19c69
SHA1 2318a2840cd46cce378f8334adb607c0503fd4af
SHA256 99f187bd199829e32e6ec923b0a79245e9ffdfcc4d2b614cb82bad34305b6311
SHA512 306777b5850c941a6e1435f9fe7903d23695fbd061d6a4ad19ae4a49f5577e0123ed61eefb15bbab133d0870199ebe81de47a2420f3b973a0c1fee537cd00ecd

C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

MD5 c096aefa1ab64ea11def4ca83b9f3435
SHA1 925ba62074336dfe9e2bb32a2d6d6ef1b5cdca2f
SHA256 00e40a21a1349b62de2e23e9ef8c23864b6cd56f7c436c1c0a449a5d67be83f1
SHA512 c396d0d0a8c8c089438062fe956c77c935b449f25a85745233405b428c6a715718e57514e83a35d1626011220bd834bfbb7f683d1dad73e3ffc23a45e65a082c

C:\Program Files\Java\jdk-1.8\bin\idlj.exe

MD5 b69d99d163f007e487ba1e5dd35d0214
SHA1 d9170a0ca9eda457dfc40e62d4cced9a08d4ec56
SHA256 daec949356611b0df1fda23783e11d8ad17a691c079577bb49805ecd1f6a18fa
SHA512 d3ab74ec70bed67c74d3ddfad8335df8ae191cd575d108488cbd9ccff38e8d4582445426010cd0340b421f9d7b8954f8603972f9da7f6d46bb54f1f596cf6106

C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

MD5 cb0fa679b7d08ce3c0cff9ebcffb3c8b
SHA1 9b259102a9486e6f0d423acbd28e22ff74d365f2
SHA256 0ddc8dfaf02e6e651609c2c0cc9390f07810f01f37e61f94724b97bd866a4e82
SHA512 7e7bf372aaadaa995af182ab7abb5f424394a67fb0334555348ebbb847a05a4ba1f4325d540445a548cade83bf1192f6fae633475c9792a21c92122abc4fef70

C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

MD5 86e80de11cadd4cb285dc29fd45d268a
SHA1 a2d55cf00c5fe77a44b73e9d61e70001dbeb3450
SHA256 c6183ab77b01ae12bc60f93e5abb78c978da6c210172d9e1dde9d24193bd332c
SHA512 75338b3d674d708095df4c16d88b6bffc102f9c73a6d23dda4b46c3658ebdef56aea09f134e03d29b8c9c3694ae4af2c7a0e6f6c571b9c980b74bb7d7aad4348

C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

MD5 06483e5d5f3668df7d05e9842b67d3e2
SHA1 4dbd7e27768d451388d3144a6bf4f97b5b7b495f
SHA256 a78d7c7969dc3966d6b22d9c55df752a8fa65e05eb0c4db44f66a10342dfb7b6
SHA512 39253791e2d9823ad3c7c0158a850bae49d88619e2859d00560b9f93d8ba07225876117b8cafddabad764647121c788eccbb7bc22153a5d3b04dd728329bf145

C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

MD5 41bc3abda0528e928ae534c1ddb95b75
SHA1 1a8bef75335a7aca6c5802e23c658def85a833f9
SHA256 b7a8aeb7975880d3c122279176876d5cd5543920be940743aa2bb700c971dffd
SHA512 9c0e2b534fe29ddad537ef8e36d6d96263f345fde35f540cf2df2e5f37e08646510b840207d08aa52516c36a3e52a20b511612454d28a50d689c961782a9420a

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

MD5 2c5a80abcab205c514c0a451ba932156
SHA1 8a7e1ca25e9dea3f7906c28586556dfdae8edf27
SHA256 5e31399f94c6545d20909e06376f46fa623e85c03079b58cc280b996aab3ea56
SHA512 fec17a39d7c18823ac60181ca5ce25de6338e4b2e610290091469a1550a06950c9537ce20ba3a67b73e201ca1b6bb760ee8b09683c9ec54bac1962c186057cd9

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

MD5 82ded81dfbdc02be78c6e7ba5698c0e6
SHA1 27c6da2613d992e6ea322b764bcb59d5710ed4b3
SHA256 f004f8ecafa72f510d2ef5c5db9aa79ff2c113f7f52b39b4fed99ac83afa6d8d
SHA512 f7f195976047273ebb1f899671e571a4a3d5d0df2cfd9a767a47c268703bddbc8bfe2ee0e2185af34e14dbc3aaeaf355d250ff6e5fc22fba01dc5475b1150132

C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

MD5 55e26e0432e5d36f592f7676f12046ec
SHA1 19d71a42a24a2140dbb6503291185a34df4d4220
SHA256 9340b2cea74409e1abbce83a0ff2d6a72a23176a21f01d63ba71261fab63acb0
SHA512 53b1f535832caea79d87da703875c333370c7b7dac5373a1a3de0a3a7d87f68e2aedd6f62a962ee7c459b5bef48e36ab03199201d9cc8ab932b4b9657a35aee7

C:\Program Files\dotnet\dotnet.exe

MD5 19918676ddd31ef482260ab1eef6fa1b
SHA1 a4b5e5aea2e867fe72415fb40c78766c096e0c3a
SHA256 d2c452df05d43c45b3f7f38f45d25e0b0ae18e7b9991faf1e48c15ffe85c459f
SHA512 3ce8f78d1539c8b3e40d93121b9aa172a4392415c2b1aa8ac4a249716b2d0196b5e8cd2907989aebb467bafac4e246c0fc37d018f3c12cc4a7a01ecb24c28076

C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

MD5 cedc6370272bc3775b34b3828c4faa05
SHA1 fb25e180b99890899710f2fd2936d6ac5663cc16
SHA256 ff94b54bfcc49c807330196ef7952e4e4d817cab0109ad5f07aa628c98fcf904
SHA512 b2c31e49835edb430fe65cdb6652b7366bb5bb1ccd0e022c0fbc021b202cb8e6415a99dc72e6e19bd1e44525c6037101c95d5564faebda5b64725fce4611523d

C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

MD5 7ee50c33b66a0650fc105011f3f78663
SHA1 b6ff74656f7b774059b98d82ee3a00cdcfe3c2d9
SHA256 04bf5adbebd5fdbe04d41dd0fff93e65f60e1465ded720bb156350419a0b0a79
SHA512 9ab9e413cd990d815a9e92783c7fe0a9f0de844b06b4c2142858ede14fbd4fdae795e0ded63a824fd25953cabea8d439b822c4acf0ac5d7672a8e3364dff573d

C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

MD5 fd4d270ccf30530a3869edd1354d9ff1
SHA1 2a1a97659d7f423036402acaa1934e4841263e27
SHA256 d90e70494a0f75909cd80ac0b0fe62d0d0f266f2d458172996fd87991d63bd32
SHA512 8c381451c81235a4ac44e3413ea9debb0bfb7b7fbd303d34574cee412c9fdb45155c820167693a45bc7adf488eb416272a5b097742e4b570d4b37bbd2708935b

C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

MD5 bdf49d55e810925bb0780b6b1a177bc8
SHA1 1cb232da8dc226a9b5ef24793178e3cb33e6ce78
SHA256 bf7561816c6317ff709783c727207d58d167e68b31626f1faa646b8596d1c89d
SHA512 9f02022621ed6e44eace08d48b175b421fcb9a811e316f78d2a7cdd53413674edd7e739624769c3f27ea2b2edc89187281dd16f86bba12e47328c78f0fb68680

C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

MD5 d8528a7f3c836c506ebbcfea8003499d
SHA1 36f69e70640c1a90d3a3fecdfdf61120cccf3f50
SHA256 42e3a525578e8989e7f01cf4ae11ef1efe9279dd046c6e3e120fcc9b1a1ae279
SHA512 82f1c74201092221100e02385170995a8c4b0c8d3ed15d066fcbebe44b6f60547c481963cb629f2ff48663009f84152d5d15fd34e3513ea34cb3f3d89596988d

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

MD5 75348808cbd33cd09a0d22c8d15d7345
SHA1 bbd8d6a6302cce2ddb524efd5d834da28c2e8127
SHA256 1af385243595e83e006e5aa41957b0ae463ba50ba92f7f04204792d5b6a93145
SHA512 75abb13f7d61e2c8fdb62324e59394bcbe14644537ff5377fe1cbc5bdd2c76d7d8fea8dfcd9e474c8cb947955b299089b7d29a70852c593858c5ad51ba292e8e

C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

MD5 901a04de85a995dcbed74b897a38703a
SHA1 f1c1190fdd124c38bb9950cd68814a899eb8e0bc
SHA256 4d1c0f8dba2f58f39897c22f2d78cad122a8fc60965e88fe93db6339c093b9b0
SHA512 50f51c6ec32d794be6f22c9efb8e690b4484399f2f02a3e595167734e6a67b93bab04ec07ca60892de29086fcac47ed8766c348f25a57d515e5ded17c1528fc4

C:\Program Files\7-Zip\Uninstall.exe

MD5 7d7a9007b973ab27c86793a5c20acffe
SHA1 15df7b079250fb69311f99fb75e613c121d420af
SHA256 947d1513ada276512eeac995a679ce20973b7cff67c335fe976349a84f98d120
SHA512 df015ec5bf06a783d6929341b6333ca24ceb30a74f6885b5d09c5d21eca1ff521c390cdc815fe5a50ba61709f9ada13c642f678e845a05184f83a72482aba640

C:\Program Files\7-Zip\7zFM.exe

MD5 7bc948fa5a7b669608c6a72a8be9158f
SHA1 6c8a2848d2383cafdae5dfb90c058b0e11ad83b9
SHA256 3607a3c17c4346a789322f387f6d15693a714aa9904a9e825cfd1a4e19b2e82b
SHA512 9cff79ac57ab23f97fac855b74f4168b87b2d499d2030306c1806d476e35e94e72260a7cd640067682987520d1d0355bbdaa148fded8de545f5969c09e1d08af

C:\Program Files\Windows Media Player\wmpnetwk.exe

MD5 27faaa9bfd660fbcc1970ec108cf20cc
SHA1 95bf1f5fa12463bc1e3dba189310ae7b4797acd3
SHA256 83548e25f7a6630cc8d66545011269db9d2bef004ded73a936a65587f4f1748c
SHA512 de8c37d6fe72f39f398c10944e919747b5b99e457ccef54d25df09883433e06d7a06d0dc10782127d7f48865c7f9ab41e9ff5549ff4ca17450bf7c997a168fc1

C:\Windows\system32\SgrmBroker.exe

MD5 5d52480e96e1a61e9054f9b0bd36943b
SHA1 d77eb6bcfd5b74209f366402d69d808bde44fc0a
SHA256 2d161cedbb3194ca825720a2bce58e8e50100b1b28fd81b5bf8d48a3c18d02a5
SHA512 7ec3621634702cc1a0e88d6550212a04fc21bf590552ca1f1f7e2d4044bc4bb1673cbb0395e337f0d1ee1c7a669c1a9ba1093d9d7123382b69a1f532bece284c

C:\Windows\system32\msiexec.exe

MD5 48503050c678eaf98cea333099011122
SHA1 41c6efad21af91eb256fad2aed5d72eaca91e759
SHA256 e34bc99056cc55c596a263025c12aa14c2e885ba9f68b75a9caed52c5e2d253a
SHA512 435830a2f76f2f6e8a0f67914c3a3eb60171dd6adb7c2d9ac38f69882b858708e092d020bdeaef2a7380e234ed612b2999d7e83e5bfb36bbaf4bf631aa8a1b24